010Edit分析爆破 + 算法逆向 + 注册机编写

爆破

假码 pName = xuanci pKey = 00112233445566778899

登录出错复制错误信息

---------------------------
010 Editor
---------------------------
Invalid name or password. Please enter your name and password exactly as given when you purchased 010 Editor (make sure no quotes are included).
---------------------------
&OK
---------------------------

字符串搜索下看看能不能搜索到相关信息

也可以通过CreateWindowExW回溯找到看自己来

这里看了下不让他跳也没见到登录成功的地方，那我们一步一步跟上去看看

可以看出这里成功了那么是不是我们在上面NOP掉直接就能成功，奔着这个思想我们来验证下

好像真的可以了，那我们就来看看到底做了些什么可以让他走过这个地方

002A1D30   > \81FB DB000000 cmp     ebx, 0xDB                        ;  根据这条汇编指令我们知道 ebx == 0xDB即可成功002A1C40   .  E8 747BE5FF   call    000F97B9                         ;  eax == 0xDB即可成功
002A1C45   .  8B0D 7C257000 mov     ecx, dword ptr [0x70257C]
002A1C4B   .  8BD8          mov     ebx, eax                         ;  可以看到ebx == eax
002A1C4D   .  8B45 E0       mov     eax, dword ptr [ebp-0x20]
002A1C50   .  3D E7000000   cmp     eax, 0xE7跳跟踪到上面我们可以找到ebx来自与eax      eax == call    000F97B9           eax == 0xDB就能调到成功了呢？   我们看看他什么情况下恒与0xDB进CALL 最下面 我们可以看到
003D5B99  |> \5F            pop     edi                              ;  Case 2D of switch 003D5AF3
003D5B9A  |.  B8 DB000000   mov     eax, 0xDB
003D5B9F  |.  5E            pop     esi
003D5BA0  |.  5D            pop     ebp
003D5BA1  \.  C2 0800       retn    0x8003D5B99又是003D5AF6  |. /0F84 9D000000 je      003D5B99跳转来的 我们只需要让je满足条件即可 003D5AEE  |.  E8 DDC1D1FF   call    000F1CD0
003D5AF3  |.  83F8 2D       cmp     eax, 0x2D                        ;  Switch (cases 2D..E7)
003D5AF6  |. /0F84 9D000000 je      003D5B99call 000F1CD0   返回值恒与 0x2D即可了那么我们进CALL  给他
mov eax,0x2D
ret 8

注意这里涉及了重定位纳闷我们先把随机基质给去除吧

可以先打开我们刚刚爆破的那个010Edit 然后把没修改的拖进去去修改随机基质

按Install安装下模板安装好我们就去找dll标志的字段

这里我们改成0 Ctrl+s保存即可

这时候我们在回去找到原来的地方给他修改汇编代码即可

提示我这个其实按正常来说应该是可以OK的但是这里多了个网络验证我们就得把网络验证去掉

我们OD载入刚修改好的然后在刚刚修改的地方下段即可单不跟踪

我们继续往下找是否还有错误的地方

重新来过

这里给他置1 让他的zf标志位为0

成功这里我们有很多种方法可以爆破可以使用

005B1CEA   > \75 27         jnz     short 005B1D13
改成
005B1CEA   > \75 27         jz     short 005B1D13也可以根据上面爆破0x2D一样CALL里返回值让他恒为1
005B3460      B8 01000000   mov     eax, 0x1
005B3465      C2 0400       retn    0x4
005B3468      90            nop
005B3469      90            nop这里随便就看自己了

算法分析

综上所诉我们得知那个控制0x2D的CALL就是我们需要分析的地方只要他==0x2D我们就可以过掉本地本地验证分析出算法我们就可以写出注册机

至于网络验证，我们就需要自己去打补丁也好怎么搞也好就要看自己了

那么我们来到返回0x2D的地方进行分析吧

005B1C1E   .  8B0D 7C25A100 mov     ecx, dword ptr [0xA1257C]
005B1C24   .  68 67480000   push    0x4867
005B1C29   .  6A 0C         push    0xC
005B1C2B   .  E8 A000E5FF   call    00401CD0
005B1C30   .  8B0D 7C25A100 mov     ecx, dword ptr [0xA1257C]首先看下参数 一个 0xC      0x4867          ecx我们去看下内存 看看到底是什么

看着是个地址那么我们跟进去过去看看到底都是什么

我们在ECX + 4的地址哪里看到了用户名

在ECX + 8的地址哪里看到了KEY

那么我们可以猜测这里是不是一个对象里面存放着账号密码 UNICODE类型的还有一些我们不知道的值具体用到再去分析

我们进CALL 去逐步分析

006E5229   > \8A45 E7       mov     al, byte ptr [ebp-0x19]          ;  al == k[3]
006E522C   .  3C 9C         cmp     al, 0x9C                         ;  这里判断K[3]是否等于0x9C; Switch (cases 9C..FC)
006E522E   .  75 70         jnz     short 006E52A0这里K[3] != 0x9C就继续判断006E52A0   > \3C FC         cmp     al, 0xFC
006E52A2   .  75 1F         jnz     short 006E52C3判断是否等于0xFC不等于在继续判断006E52C3   > \3C AC         cmp     al, 0xAC
006E52C5   .  0F85 94010000 jnz     006E545F这里在判断是否等于0XAC 在不行就给EAX == 0XE7    那么我们想获取的是0x2D这里获取E7肯定不对
这样我们就可以猜测K[3] == 0x9C / 0xFC / 0xAC

分析一段逻辑进行代码测试

006E5229   > \8A45 E7       mov     al, byte ptr [ebp-0x19]          ;  al == k[3]
006E522C   .  3C 9C         cmp     al, 0x9C                         ;  这里判断K[3]是否等于0x9C; Switch (cases 9C..FC)
006E522E   .  75 70         jnz     short 006E52A0
006E5230   .  8A45 E4       mov     al, byte ptr [ebp-0x1C]          ;  al == K[0]; Case 9C of switch 006E522C
006E5233   .  3245 EA       xor     al, byte ptr [ebp-0x16]          ;  al == k[0]^k[6]
006E5236   .  8845 DC       mov     byte ptr [ebp-0x24], al
006E5239   .  8A45 E5       mov     al, byte ptr [ebp-0x1B]          ;  al == k[1]
006E523C   .  3245 EB       xor     al, byte ptr [ebp-0x15]          ;  al == k[1]^k[7]
006E523F   .  FF75 DC       push    dword ptr [ebp-0x24]             ;  push al == k[0]^k[6]
006E5242   .  0FB6C8        movzx   ecx, al                          ;  ecx == (k[1]^k[7])&0xFF
006E5245   .  B8 00010000   mov     eax, 0x100                       ;  eax == 0x100
006E524A   .  0FAFC8        imul    ecx, eax                         ;  ecx =  ((k[1]^k[7])&0xFF)*0x100
006E524D   .  8A45 E6       mov     al, byte ptr [ebp-0x1A]          ;  al == k[2]
006E5250   .  3245 E9       xor     al, byte ptr [ebp-0x17]          ;  al == k[2]^k[5]
006E5253   .  0FB6C0        movzx   eax, al                          ;  eax == (k[2]^k[5])&0xFF
006E5256   .  66:03C8       add     cx, ax                           ;  cx = (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)
006E5259   .  0FB7F1        movzx   esi, cx                          ;  esi =  (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF
006E525C   .  E8 5309D2FF   call    00405BB4                         ;  处理K[0]和K[6] al == ((k[0]^k[6])^0x18 + 0x3D)^0xA7
006E5261   .  0FB6C0        movzx   eax, al                          ;  eax == (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF
006E5264   .  56            push    esi                              ;  push esi =  (((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF
006E5265   .  8943 1C       mov     dword ptr [ebx+0x1C], eax        ;  下面CALL 返回 eax =  ((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421
006E5268   .  E8 D84FD2FF   call    0040A245                         ;  计算的值和0xB做除法  余数不为0则返回0 余数为0则返回商
006E526D   .  8B4B 1C       mov     ecx, dword ptr [ebx+0x1C]        ;  ecx == (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF
006E5270   .  83C4 08       add     esp, 0x8
006E5273   .  0FB7C0        movzx   eax, ax                          ;  eax =  ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF
006E5276   .  8943 20       mov     dword ptr [ebx+0x20], eax
006E5279   .  85C9          test    ecx, ecx                         ;  判断  (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0
006E527B   .  0F84 DE010000 je      006E545F
006E5281   .  85C0          test    eax, eax                         ;  判断 eax =  (((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421)&0xFFFF != 0
006E5283   .  0F84 D6010000 je      006E545F
006E5289   .  3D E8030000   cmp     eax, 0x3E8                       ;  且 eax < 0x3E8
006E528E   .  0F87 CB010000 ja      006E545F

可以看到最后就是比较

判断 (((k[0]^k[6])0x18 + 0x3D)^0xA7)&0xFF != 0

判断 eax = ((((((((k[1]^{k[7])&0xFF)*0x100)+((k[2]}k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0

判断 eax = ((((((((k[1]^{k[7])&0xFF)*0x100)+((k[2]}k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8

已知K[3] == 0x9C / 0xFC / 0xAC

那么我们就开始写代码测试吧

#include <stdio.h>
#include <windows.h>
#include <time.h>int main()
{/*判断  (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8已知K[3] == 0x9C / 0xFC / 0xAC*/byte bKey[10] = { 0 };bKey[3] = 0x9C;srand(time(NULL));while (true){byte k0 = rand() % 0xFF;byte k6 = rand() % 0xFF;byte s1 = (((k0 ^ k6) ^ 0x18 + 0x3D) ^ 0xA7) & 0xFF;if (s1 != 0){//获取到了K0 和 K6bKey[0] = k0;bKey[6] = k6;break;}}while (true){byte k1 = rand() % 0xFF;byte k7 = rand() % 0xFF;byte k2 = rand() % 0xFF;byte k5 = rand() % 0xFF;DWORD s1 = (((((((k1 ^ k7) & 0xFF) * 0x100) + ((k2 ^ k5) & 0xFF) & 0xFFFF) ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF;if ((s1 % 0xB) == 0 && (s1 / 0xB) < 0x3E8){bKey[1] = k1;bKey[7] = k7;bKey[2] = k2;bKey[5] = k5;break;}}for (int i = 0; i < 10; i++){printf("%02X", bKey[i]);}getchar();return 0;
}

得出KEY：53BDF79C000D8D1F

我们输入KEY 重新来过看看能不能到达我们想到达的地方

走到了我们想到达的地方

这里我们看到了返回了 ASCII码的Name

006E5355   .  8BCF          mov     ecx, edi                         ;  ecx == pName
006E5357   .  50            push    eax                              ; /Arg1
006E5358   .  FF15 104AA100 call    dword ptr [<&Qt5Core.QString::to>; \QString::toUtf8
006E535E   .  FF73 20       push    dword ptr [ebx+0x20]             ;  这里是 call    0040A245的返回值
006E5361   .  33C0          xor     eax, eax
006E5363   .  C745 FC 00000>mov     dword ptr [ebp-0x4], 0x0
006E536A   .  807D E7 FC    cmp     byte ptr [ebp-0x19], 0xFC        ;  判断K[3]是否为0xFC 因为我们写的是0x9C所以是个定值
006E536E   .  8D4D D4       lea     ecx, dword ptr [ebp-0x2C]        ;  ASCII Name的对象
006E5371   .  56            push    esi                              ;  0
006E5372   .  0f95c0        setne   al
006E5375   .  50            push    eax                              ;  1
006E5376   .  FF15 6C42A100 call    dword ptr [<&Qt5Core.QByteArray:>;  eax == ASCCName
006E537C   .  50            push    eax                              ;  用户名
006E537D   .  E8 B2ECD1FF   call    00404034                         ;  目前不知道是干嘛 进去看看好像也是加密 先不问
006E5382   .  8BD0          mov     edx, eax                         ;  edx == eax
006E5384   .  83C4 10       add     esp, 0x10                        ;  堆栈平衡 从这里可以猜测上面为4个参数
006E5387   .  3855 E8       cmp     byte ptr [ebp-0x18], dl          ;  k[4] == edx&0xFF
006E538A   .  0F85 BD000000 jnz     006E544D
006E5390   .  8BCA          mov     ecx, edx
006E5392   .  C1E9 08       shr     ecx, 0x8
006E5395   .  384D E9       cmp     byte ptr [ebp-0x17], cl          ;  k[5] == edx >> 0x8 &0xFF
006E5398   .  0F85 AF000000 jnz     006E544D
006E539E   .  8BCA          mov     ecx, edx
006E53A0   .  C1E9 10       shr     ecx, 0x10
006E53A3   .  384D EA       cmp     byte ptr [ebp-0x16], cl          ;  k[6] == edx >> 0x10 &0xFF
006E53A6   .  0F85 A1000000 jnz     006E544D
006E53AC   .  C1E8 18       shr     eax, 0x18
006E53AF   .  3845 EB       cmp     byte ptr [ebp-0x15], al          ;  k[7] == edx >> 0x18 &0xFF
006E53B2   .  0F85 95000000 jnz     006E544D
006E53B8   .  8A45 E7       mov     al, byte ptr [ebp-0x19]
006E53BB   .  3C 9C         cmp     al, 0x9C                         ;  k[3] == 0x9C; Switch (cases 9C..FC)
006E53BD   .  75 1D         jnz     short 006E53DC
006E53BF   .  8B45 08       mov     eax, dword ptr [ebp+0x8]         ;  Case 9C of switch 006E53BB
006E53C2   .  3B43 1C       cmp     eax, dword ptr [ebx+0x1C]
006E53C5   .  76 74         jbe     short 006E543B                   ;  如果上述条件都成立就说明成功了 这样我们就可以确定那个CALL 就是在验证Name和K[4]-K[7]之间的关系

我们进入那个加密CALL 去IDA看下看看能不能之间提取出来用

地址：006E4300 /> \55 push ebp

int __cdecl sub_6E4300(const char *a1, int a2, char a3, int a4)
{const char *v4; // edxint v5; // esisigned int v6; // edisigned int v7; // ebxint v8; // eaxint v9; // ecxint v10; // edxint v11; // esiunsigned __int8 v12; // alint v13; // esiint v14; // eaxint v16; // [esp+Ch] [ebp-18h]int v17; // [esp+10h] [ebp-14h]unsigned __int8 v18; // [esp+14h] [ebp-10h]unsigned __int8 v19; // [esp+18h] [ebp-Ch]unsigned __int8 v20; // [esp+1Ch] [ebp-8h]v4 = a1;v5 = 0;v6 = strlen(a1);v7 = 0;if ( v6 > 0 ){v17 = 15 * a4;v18 = 0;v19 = 0;v20 = 17 * a3;do{v8 = toupper((unsigned __int8)v4[v7]);v16 = v20;v9 = v17;v17 = (unsigned __int8)v17;v10 = v5 + dword_A04AD8[v8];if ( a2 ){v11 = dword_A04AD8[(unsigned __int8)(v8 + 47)] * (v10 ^ dword_A04AD8[(unsigned __int8)(v8 + 13)]);v12 = v19;}else{v11 = dword_A04AD8[(unsigned __int8)(v8 + 23)] * (v10 ^ dword_A04AD8[(unsigned __int8)(v8 + 63)]);v12 = v18;}v20 += 9;++v7;v19 += 19;v18 += 7;v4 = a1;v13 = dword_A04AD8[v12] + v11;v14 = v17;v17 = v9 + 13;v5 = dword_A04AD8[v16] + dword_A04AD8[v14] + v13;}while ( v7 < v6 );}return v5;
}

先来修改修改参数类型第一个参数是字符串一定是ASCII码因为传过去的就是ASCII的字符串第二个参数恒为1 第三个参数恒为0 第四个参数是call 0040A245的返回值这个参数我们返回的是/B返回的不是商就是0 然后在判断是否 < 0x3E8

这样我们就可以先用这个CALL 加载相应的Name 和第四个参数大于0 小于 0x3E8

生成K[4] - K[7]

在随机生成别的值好像就可以了我们开始修改代码

根据代码所看到的基本上都在对一个数组进行操作我们找到地址用OD给copy出来

数组地址00A04AD8

DWORD dwBuff[] =
{0x39cb44b8, 0x23754f67, 0x5f017211, 0x3ebb24da, 0x351707c6, 0x63f9774b, 0x17827288, 0x0fe74821, 0x5b5f670f, 0x48315ae8, 0x785b7769, 0x2b7a1547, 0x38d11292, 0x42a11b32, 0x35332244, 0x77437b60,0x1eab3b10, 0x53810000, 0x1d0212ae, 0x6f0377a8, 0x43c03092, 0x2d3c0a8e, 0x62950cbf, 0x30f06ffa, 0x34f710e0, 0x28f417fb, 0x350d2f95, 0x5a361d5a, 0x15cc060b, 0x0afd13cc, 0x28603bcf, 0x3371066b,0x30cd14e4, 0x175d3a67, 0x6dd66a13, 0x2d3409f9, 0x581e7b82, 0x76526b99, 0x5c8d5188, 0x2c857971, 0x15f51fc0, 0x68cc0d11, 0x49f55e5c, 0x275e4364, 0x2d1e0dbc, 0x4cee7ce3, 0x32555840, 0x112e2e08,0x6978065a, 0x72921406, 0x314578e7, 0x175621b7, 0x40771dbf, 0x3fc238d6, 0x4a31128a, 0x2dad036e, 0x41a069d6, 0x25400192, 0x00dd4667, 0x6afc1f4f, 0x571040ce, 0x62fe66df, 0x41db4b3e, 0x3582231f,0x55f6079a, 0x1ca70644, 0x1b1643d2, 0x3f7228c9, 0x5f141070, 0x3e1474ab, 0x444b256e, 0x537050d9, 0x0f42094b, 0x2fd820e6, 0x778b2e5e, 0x71176d02, 0x7fea7a69, 0x5bb54628, 0x19ba6c71, 0x39763a99,0x178d54cd, 0x01246e88, 0x3313537e, 0x2b8e2d17, 0x2a3d10be, 0x59d10582, 0x37a163db, 0x30d6489a, 0x6a215c46, 0x0e1c7a76, 0x1fc760e7, 0x79b80c65, 0x27f459b4, 0x799a7326, 0x50ba1782, 0x2a116d5c,0x63866e1b, 0x3f920e3c, 0x55023490, 0x55b56089, 0x2c391fd1, 0x2f8035c2, 0x64fd2b7a, 0x4ce8759a, 0x518504f0, 0x799501a8, 0x3f5b2cad, 0x38e60160, 0x637641d8, 0x33352a42, 0x51a22c19, 0x085c5851,0x032917ab, 0x2b770ac7, 0x30ac77b3, 0x2bec1907, 0x035202d0, 0x0fa933d3, 0x61255df3, 0x22ad06bf, 0x58b86971, 0x5fca0de5, 0x700d6456, 0x56a973db, 0x5ab759fd, 0x330e0be2, 0x5b3c0ddd, 0x495d3c60,0x53bd59a6, 0x4c5e6d91, 0x49d9318d, 0x103d5079, 0x61ce42e3, 0x7ed5121d, 0x14e160ed, 0x212d4ef2, 0x270133f0, 0x62435a96, 0x1fa75e8b, 0x6f092fbe, 0x4a000d49, 0x57ae1c70, 0x004e2477, 0x561e7e72,0x468c0033, 0x5dcc2402, 0x78507ac6, 0x58af24c7, 0x0df62d34, 0x358a4708, 0x3cfb1e11, 0x2b71451c, 0x77a75295, 0x56890721, 0x0fef75f3, 0x120f24f1, 0x01990ae7, 0x339c4452, 0x27a15b8e, 0x0ba7276d,0x60dc1b7b, 0x4f4b7f82, 0x67db7007, 0x4f4a57d9, 0x621252e8, 0x20532cfc, 0x6a390306, 0x18800423, 0x19f3778a, 0x462316f0, 0x56ae0937, 0x43c2675c, 0x65ca45fd, 0x0d604ff2, 0x0bfd22cb, 0x3afe643b,0x3bf67fa6, 0x44623579, 0x184031f8, 0x32174f97, 0x4c6a092a, 0x5fb50261, 0x01650174, 0x33634af1, 0x712d18f4, 0x6e997169, 0x5dab7afe, 0x7c2b2ee8, 0x6edb75b4, 0x5f836fb6, 0x3c2a6dd6, 0x292d05c2,0x052244db, 0x149a5f4f, 0x5d486540, 0x331d15ea, 0x4f456920, 0x483a699f, 0x3b450f05, 0x3b207c6c, 0x749d70fe, 0x417461f6, 0x62b031f1, 0x2750577b, 0x29131533, 0x588c3808, 0x1aef3456, 0x0f3c00ec,0x7da74742, 0x4b797a6c, 0x5ebb3287, 0x786558b8, 0x00ed4ff2, 0x6269691e, 0x24a2255f, 0x62c11f7e, 0x2f8a7dcd, 0x643b17fe, 0x778318b8, 0x253b60fe, 0x34bb63a3, 0x5b03214f, 0x5f1571f4, 0x1a316e9f,0x7acf2704, 0x28896838, 0x18614677, 0x1bf569eb, 0x0ba85ec9, 0x6aca6b46, 0x1e43422a, 0x514d5f0e, 0x413e018c, 0x307626e9, 0x01ed1dfa, 0x49f46f5a, 0x461b642b, 0x7d7007f2, 0x13652657, 0x6b160bc5,0x65e04849, 0x1f526e1c, 0x5a0251b6, 0x2bd73f69, 0x2dbf7acd, 0x51e63e80, 0x5cf2670f, 0x21cd0a03, 0x5cff0261, 0x33ae061e, 0x3bb6345f, 0x5d814a75, 0x257b5df4, 0x0a5c2c5b, 0x16a45527, 0x16f23945
};

注册机完成

#include <stdio.h>
#include <windows.h>
#include <time.h>DWORD dwBuff[] =
{0x39cb44b8, 0x23754f67, 0x5f017211, 0x3ebb24da, 0x351707c6, 0x63f9774b, 0x17827288, 0x0fe74821, 0x5b5f670f, 0x48315ae8, 0x785b7769, 0x2b7a1547, 0x38d11292, 0x42a11b32, 0x35332244, 0x77437b60,0x1eab3b10, 0x53810000, 0x1d0212ae, 0x6f0377a8, 0x43c03092, 0x2d3c0a8e, 0x62950cbf, 0x30f06ffa, 0x34f710e0, 0x28f417fb, 0x350d2f95, 0x5a361d5a, 0x15cc060b, 0x0afd13cc, 0x28603bcf, 0x3371066b,0x30cd14e4, 0x175d3a67, 0x6dd66a13, 0x2d3409f9, 0x581e7b82, 0x76526b99, 0x5c8d5188, 0x2c857971, 0x15f51fc0, 0x68cc0d11, 0x49f55e5c, 0x275e4364, 0x2d1e0dbc, 0x4cee7ce3, 0x32555840, 0x112e2e08,0x6978065a, 0x72921406, 0x314578e7, 0x175621b7, 0x40771dbf, 0x3fc238d6, 0x4a31128a, 0x2dad036e, 0x41a069d6, 0x25400192, 0x00dd4667, 0x6afc1f4f, 0x571040ce, 0x62fe66df, 0x41db4b3e, 0x3582231f,0x55f6079a, 0x1ca70644, 0x1b1643d2, 0x3f7228c9, 0x5f141070, 0x3e1474ab, 0x444b256e, 0x537050d9, 0x0f42094b, 0x2fd820e6, 0x778b2e5e, 0x71176d02, 0x7fea7a69, 0x5bb54628, 0x19ba6c71, 0x39763a99,0x178d54cd, 0x01246e88, 0x3313537e, 0x2b8e2d17, 0x2a3d10be, 0x59d10582, 0x37a163db, 0x30d6489a, 0x6a215c46, 0x0e1c7a76, 0x1fc760e7, 0x79b80c65, 0x27f459b4, 0x799a7326, 0x50ba1782, 0x2a116d5c,0x63866e1b, 0x3f920e3c, 0x55023490, 0x55b56089, 0x2c391fd1, 0x2f8035c2, 0x64fd2b7a, 0x4ce8759a, 0x518504f0, 0x799501a8, 0x3f5b2cad, 0x38e60160, 0x637641d8, 0x33352a42, 0x51a22c19, 0x085c5851,0x032917ab, 0x2b770ac7, 0x30ac77b3, 0x2bec1907, 0x035202d0, 0x0fa933d3, 0x61255df3, 0x22ad06bf, 0x58b86971, 0x5fca0de5, 0x700d6456, 0x56a973db, 0x5ab759fd, 0x330e0be2, 0x5b3c0ddd, 0x495d3c60,0x53bd59a6, 0x4c5e6d91, 0x49d9318d, 0x103d5079, 0x61ce42e3, 0x7ed5121d, 0x14e160ed, 0x212d4ef2, 0x270133f0, 0x62435a96, 0x1fa75e8b, 0x6f092fbe, 0x4a000d49, 0x57ae1c70, 0x004e2477, 0x561e7e72,0x468c0033, 0x5dcc2402, 0x78507ac6, 0x58af24c7, 0x0df62d34, 0x358a4708, 0x3cfb1e11, 0x2b71451c, 0x77a75295, 0x56890721, 0x0fef75f3, 0x120f24f1, 0x01990ae7, 0x339c4452, 0x27a15b8e, 0x0ba7276d,0x60dc1b7b, 0x4f4b7f82, 0x67db7007, 0x4f4a57d9, 0x621252e8, 0x20532cfc, 0x6a390306, 0x18800423, 0x19f3778a, 0x462316f0, 0x56ae0937, 0x43c2675c, 0x65ca45fd, 0x0d604ff2, 0x0bfd22cb, 0x3afe643b,0x3bf67fa6, 0x44623579, 0x184031f8, 0x32174f97, 0x4c6a092a, 0x5fb50261, 0x01650174, 0x33634af1, 0x712d18f4, 0x6e997169, 0x5dab7afe, 0x7c2b2ee8, 0x6edb75b4, 0x5f836fb6, 0x3c2a6dd6, 0x292d05c2,0x052244db, 0x149a5f4f, 0x5d486540, 0x331d15ea, 0x4f456920, 0x483a699f, 0x3b450f05, 0x3b207c6c, 0x749d70fe, 0x417461f6, 0x62b031f1, 0x2750577b, 0x29131533, 0x588c3808, 0x1aef3456, 0x0f3c00ec,0x7da74742, 0x4b797a6c, 0x5ebb3287, 0x786558b8, 0x00ed4ff2, 0x6269691e, 0x24a2255f, 0x62c11f7e, 0x2f8a7dcd, 0x643b17fe, 0x778318b8, 0x253b60fe, 0x34bb63a3, 0x5b03214f, 0x5f1571f4, 0x1a316e9f,0x7acf2704, 0x28896838, 0x18614677, 0x1bf569eb, 0x0ba85ec9, 0x6aca6b46, 0x1e43422a, 0x514d5f0e, 0x413e018c, 0x307626e9, 0x01ed1dfa, 0x49f46f5a, 0x461b642b, 0x7d7007f2, 0x13652657, 0x6b160bc5,0x65e04849, 0x1f526e1c, 0x5a0251b6, 0x2bd73f69, 0x2dbf7acd, 0x51e63e80, 0x5cf2670f, 0x21cd0a03, 0x5cff0261, 0x33ae061e, 0x3bb6345f, 0x5d814a75, 0x257b5df4, 0x0a5c2c5b, 0x16a45527, 0x16f23945
};int EnCode(const char* a1, int a2, char a3, int a4)
{const char* v4; // edxint v5; // esisigned int v6; // edisigned int v7; // ebxint v8; // eaxint v9; // ecxint v10; // edxint v11; // esiunsigned __int8 v12; // alint v13; // esiint v14; // eaxint v16; // [esp+Ch] [ebp-18h]int v17; // [esp+10h] [ebp-14h]unsigned __int8 v18; // [esp+14h] [ebp-10h]unsigned __int8 v19; // [esp+18h] [ebp-Ch]unsigned __int8 v20; // [esp+1Ch] [ebp-8h]v4 = a1;v5 = 0;v6 = strlen(a1);v7 = 0;if (v6 > 0){v17 = 15 * a4;v18 = 0;v19 = 0;v20 = 17 * a3;do{v8 = toupper((unsigned __int8)v4[v7]);v16 = v20;v9 = v17;v17 = (unsigned __int8)v17;v10 = v5 + dwBuff[v8];if (a2){v11 = dwBuff[(unsigned __int8)(v8 + 47)] * (v10 ^ dwBuff[(unsigned __int8)(v8 + 13)]);v12 = v19;}else{v11 = dwBuff[(unsigned __int8)(v8 + 23)] * (v10 ^ dwBuff[(unsigned __int8)(v8 + 63)]);v12 = v18;}v20 += 9;++v7;v19 += 19;v18 += 7;v4 = a1;v13 = dwBuff[v12] + v11;v14 = v17;v17 = v9 + 13;v5 = dwBuff[v16] + dwBuff[v14] + v13;} while (v7 < v6);}return v5;
}int main()
{/*判断  (((k[0]^k[6])^0x18 + 0x3D)^0xA7)&0xFF != 0判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF != 0判断 eax = ((((((((k[1]^k[7])&0xFF)*0x100)+((k[2]^k[5])&0xFF)&0xFFFF)^0x7892 + 0x4D30)&0xFFFF)^0x3421) / 0xB) &0xFFFF < 0x3E8已知K[3] == 0x9C / 0xFC / 0xAC*/DWORD nRet = 0x3E8;                //0 - 0x3E8byte bKey[10] = { 0 };bKey[3] = 0x9C;DWORD dwRet = EnCode("xuanci", 1, 0, nRet);bKey[4] = dwRet & 0xFF;bKey[5] = dwRet >> 0x8 & 0xFF;bKey[6] = dwRet >> 0x10 & 0xFF;bKey[7] = dwRet >> 0x18 & 0xFF;srand(time(NULL));while (true){byte k0 = rand() % 0xFF;byte s1 = (((k0 ^ bKey[6]) ^ 0x18 + 0x3D) ^ 0xA7) & 0xFF;if (s1 != 0){//获取到了K0 和 K6bKey[0] = k0;break;}}while (true){byte k1 = rand() % 0xFF;byte k2 = rand() % 0xFF;DWORD s1 = (((((((k1 ^ bKey[7]) & 0xFF) * 0x100) + ((k2 ^ bKey[5]) & 0xFF) & 0xFFFF) ^ 0x7892) + 0x4D30) ^ 0x3421) & 0xFFFF;if ((s1 % 0xB) == 0 && (s1 / 0xB) == nRet){bKey[1] = k1;bKey[2] = k2;break;}}for (int i = 0; i < 10; i++){printf("%02X", bKey[i]);}getchar();return 0;
}

Key：B4812E9C62157C280000

测试下

OK 完毕剩下的就是上面说的网络验证直接爆破下就好了