飘云阁(PYG官方)

 找回密码
 快速注册

QQ登录

只需一步,快速开始

查看: 2542|回复: 31

[原创] MP4 Downloader Pro Version: 3.29.6 验证算法描述

[复制链接]
  • TA的每日心情
    擦汗
    2016-4-19 21:35
  • 签到天数: 3 天

    [LV.2]偶尔看看I

    发表于 2019-12-18 00:12:47 | 显示全部楼层 |阅读模式
    本帖最后由 wai1216 于 2019-12-18 00:19 编辑

    作者调用miracl大数据库完成了rsa的加密,通过lstrenA巧妙了的截断了密文数据,之后将0x3c长度的数据,分成0x1c(A)和0x20(B)两段做check
    其中A段是段比较零散的验证
    而B段是通过swprintf %s.{%s} 拼接 regedit的目录以及用户邮箱组成这样格式的 {500188E5-47D9-4d40-8738-C820081E87B0}.{nisy@chinapyg.com}的md5


    先说加密:
    [Plain Text] 纯文本查看 复制代码
    sub_42C7CD(v8, v7, &v19, &String, 0x1001u, 60, 1180, aDh43ydl65izsin, aO2x)
    sub_42C7CD(int a1, int a2, char *a3, void *a4, size_t a5, int a6, int a7, int a8, int a9)
    
    LABEL_23:
      v15 = _mirsys(100, 0);
      *(v15 + 548) = 1;                             // ->ERCON
      *(v15 + 564) = a6;                            // ->IOBASE = 60
      v16 = __mirvar(0);
      v21 = __mirvar(0);
      v17 = __mirvar(0);
      v22 = __mirvar(0);
      __cinstr(v16, a3);                            // key
      __cinstr(v17, a8);                            // DH43Ydl65IZsIncKnCukuUZgGk8lLSBiC9JlaO5pxiioSXtl5iLTQEU1tnJMBYYUrjePIG9E6J210QFgWwjuRdsc2aw53GqaZ8NZn1itpwvhl52sBgi1RnIdSZhoMh5HDsHKqfILDCZFv6v28cEprsePAMJDPZRYkcZfO67eOCB7Nl66mjqbMZxkieIbqO773J8Qt94n
      __cinstr(v22, a9);                            // O2x --> 0x15233(16)
      if ( _mr_compare(v16, v17) == -1 )
      {
        __powmod(v16, v16, v22, v17, v21);
        _big_to_bytes(v23, v21, a4, 0);
      }
      _cleanup(v16);
      _cleanup(v21);
      _cleanup(v17);
      _cleanup(v22);
      _mirexit();
    LABEL_27:
    


    可以看到,这里使用powmod(key,n,e,c)完成了rsa加密算法,之后再将big_c转换成bytes_c,注意到mip->IOBASE=60,即作者将n/e/key转成60进制存储
    另外mip->ERCON = 1,大概用于如果big_to_bytes没有转换成功,不退出程序 // v23 = 1180 / 8 - 1 = 146(0x92)

    之后将check A段
    [Plain Text] 纯文本查看 复制代码
    int __thiscall sub_427100(void *this, wchar_t *lpString)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v2 = lpString;
      v3 = this;
      if ( wcslen(lpString) != 60 )
        return -1;
      sub_544B54(&v20, v2);
      v5 = *v2;
      v21 = 0;
      sub_53D1A0(&lpString, v5, 1);
      LOBYTE(v21) = 1;
      sub_427752(lpString, v3);
      if ( !(GetTickCount() % 3) && *v3 > 0xAu )
        goto LABEL_75;
      v7 = sub_53D559(&v20, &v19, 1, 2);
      LOBYTE(v21) = 2;
      sub_544C27(&lpString, v7);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      v17 = (v3 + 4);
      sub_427752(lpString, v3 + 4);
      CString::operator=(v2[3]);
      sub_427752(lpString, v3 + 8);
      if ( !(GetTickCount() & 3) && *(v3 + 8) > 0x64u )
        goto LABEL_75;
      v8 = sub_53D559(&v20, &v19, 4, 2);
      LOBYTE(v21) = 3;
      sub_544C27(&lpString, v8);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      sub_427752(lpString, v3 + 12);
      if ( !(GetTickCount() % 5) && *(v3 + 12) > 0x3E8u )
        goto LABEL_75;
      CString::operator=(v2[6]);
      sub_427752(lpString, v3 + 16);
      if ( !(GetTickCount() % 3) && *(v3 + 16) > 0x64u )
        goto LABEL_75;
      CString::operator=(v2[7]);
      sub_427752(lpString, v3 + 20);
      if ( !(GetTickCount() & 3) && *(v3 + 20) > 0x64u )
        goto LABEL_75;
      CString::operator=(v2[8]);
      sub_427752(lpString, v3 + 24);
      if ( !(GetTickCount() % 5) && *(v3 + 24) > 0x64u )
        goto LABEL_75;
      v9 = sub_53D559(&v20, &v19, 9, 2);
      LOBYTE(v21) = 4;
      sub_544C27(&lpString, v9);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      sub_427752(lpString, v3 + 28);
      if ( !(GetTickCount() % 3) && *(v3 + 28) > 0x3E8u )
        goto LABEL_75;
      v10 = sub_53D559(&v20, &v19, 0xB, 2);
      LOBYTE(v21) = 5;
      sub_544C27(&lpString, v10);
      LOBYTE(v21) = 1;
      sub_544AE0(&v19);
      v19 = (v3 + 32);
      sub_427752(lpString, v3 + 32);
      CString::operator=(v2[13]);
      sub_427717(lpString, v3 + 36);
      if ( *(v3 + 36) < -1 || !(GetTickCount() & 3) && *(v3 + 36) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[14]);
      sub_427717(lpString, v3 + 40);
      if ( *(v3 + 40) < -1 || !(GetTickCount() % 5) && *(v3 + 40) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[15]);
      sub_427717(lpString, v3 + 44);
      if ( *(v3 + 44) < -1 || !(GetTickCount() % 3) && *(v3 + 44) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[16]);
      sub_427717(lpString, v3 + 48);
      if ( *(v3 + 48) < -1 || !(GetTickCount() & 3) && *(v3 + 48) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[17]);
      sub_427717(lpString, v3 + 52);
      if ( *(v3 + 52) < -1 || !(GetTickCount() % 5) && *(v3 + 52) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[18]);
      sub_427717(lpString, v3 + 56);
      if ( *(v3 + 56) < -1 || !(GetTickCount() % 3) && *(v3 + 56) > 0x64 )
        goto LABEL_75;
      CString::operator=(v2[19]);
      sub_427717(lpString, v3 + 60);
      v11 = *(v3 + 60);
      if ( v11 < -1 )
        goto LABEL_75;
      if ( v11 != -1 )
        *(v3 + 60) = v11 + 2000;
      if ( !(GetTickCount() & 3) )
      {
        v12 = *(v3 + 60);
        if ( v12 != -1 && v12 < 0x7D4 )
          goto LABEL_75;
      }
      CString::operator=(v2[20]);
      sub_427717(lpString, v3 + 64);
      if ( *(v3 + 64) < 0xFFFFFFFF || !(GetTickCount() % 5) && *(v3 + 64) > 0xC )
        goto LABEL_75;
      CString::operator=(v2[21]);
      sub_427717(lpString, v3 + 68);
      if ( *(v3 + 68) < -1 || !(GetTickCount() % 3) && *(v3 + 68) > 0x1F )
        goto LABEL_75;
      CString::operator=(v2[22]);
      sub_427717(lpString, v3 + 72);
      v13 = *(v3 + 72);
      if ( v13 < -1 )
        goto LABEL_75;
      if ( v13 != -1 )
        *(v3 + 72) = v13 + 0x7D0;
      if ( !(GetTickCount() & 3) && *(v3 + 72) > 0x7E8 )
        goto LABEL_75;
      CString::operator=(v2[23]);
      sub_427717(lpString, v3 + 76);
      if ( *(v3 + 76) < -1 || !(GetTickCount() % 5) && *(v3 + 76) > 0xC )
        goto LABEL_75;
      CString::operator=(v2[24]);
      sub_427717(lpString, v3 + 80);
      if ( *(v3 + 80) < -1 || !(GetTickCount() % 3) && *(v3 + 80) > 0x1F )
        goto LABEL_75;
      if ( ((CString::operator=(v2[25]), sub_427717(lpString, v3 + 84), GetTickCount() % 3) || !*(v3 + 84))
        && ((CString::operator=(v2[26]), sub_427717(lpString, v3 + 88), GetTickCount() & 3) || !*(v3 + 88))
        && ((CString::operator=(v2[27]), sub_427717(lpString, v3 + 92), GetTickCount() % 5) || !*(v3 + 92)) )
      {
        v14 = CString::Mid(&v20, &v18, 28);
        LOBYTE(v21) = 6;
        sub_544C27((v3 + 96), v14);
        LOBYTE(v21) = 1;
        sub_544AE0(&v18);
        if ( *v3 == 1 )
        {
          v15 = v19;
          v16 = *v17;
          if ( *v17 & 1 )
            *v19 |= 1u;
          if ( v16 & 2 )
            *v15 |= 2u;
          *v17 = 0;
        }
        v6 = 0;
      }
      else
      {
    LABEL_75:
        v6 = -1;
      }
      LOBYTE(v21) = 0;
      sub_544AE0(&lpString);
      v21 = -1;
      sub_544AE0(&v20);
      return v6;
    }
    


    除掉GetTickCount(),把其当作每个check都要满足,即不goto LABEL_75

    通过如下数据进行举例
    将得到密文
    [Plain Text] 纯文本查看 复制代码
    0343F768  25 00 00 00 74 F7 43 03 00 00 00 00 41 41 41 41  %...t÷C.....AAAA  
    0343F778  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F788  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F798  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7A8  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7B8  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0343F7C8  41 00 64 35 36 35 65 63 35 35 65 66 63 61 66 32  A.d565ec55efcaf2  
    0343F7D8  64 32 38 61 64 30 62 38 31 34 37 35 33 30 62 32  d28ad0b8147530b2  
    0343F7E8  61 65 21 21 21 33 2D 34 23 23 38 28 3F 25 25 25  ae!!!3-4##8(?%%%  
    0343F7F8  23 23 22 22 22 22 22 22 22 22 22 22 22 23 00 00  ##"""""""""""#..
    
      
    转换后
    [Plain Text] 纯文本查看 复制代码
    0018D890  23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25  #"""""""""""##%%  
    0018D8A0  25 3F 28 38 23 23 34 2D 33 21 21 21 65 61 32 62  %?(8##4-3!!!ea2b  
    0018D8B0  30 33 35 37 34 31 38 62 30 64 61 38 32 64 32 66  0357418b0da82d2f  
    0018D8C0  61 63 66 65 35 35 63 65 35 36 35 64 00 41 41 41  acfe55ce565d.AAA  
    0018D8D0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D8E0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D8F0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D900  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D910  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA  
    0018D920  41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00  AA..............
    

    后面的AAAAAAAAAAA可以看作padding,没有细看具体之后有啥作用

    作者在过程中使用的大小0x5e字符串表,从0x21开始 // 这里使用的wchat_t
    [Plain Text] 纯文本查看 复制代码
    0018CB54  21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00  !.".#.$.%.&.'.(.  
    0018CB64  29 00 2A 00 2B 00 2C 00 2D 00 2E 00 2F 00 30 00  ).*.+.,.-.../.0.  
    0018CB74  31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00  1.2.3.4.5.6.7.8.  
    0018CB84  39 00 3A 00 3B 00 3C 00 3D 00 3E 00 3F 00 40 00  9.:.;.<.=.>.?.@.  
    0018CB94  41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00  A.B.C.D.E.F.G.H.  
    0018CBA4  49 00 4A 00 4B 00 4C 00 4D 00 4E 00 4F 00 50 00  I.J.K.L.M.N.O.P.  
    0018CBB4  51 00 52 00 53 00 54 00 55 00 56 00 57 00 58 00  Q.R.S.T.U.V.W.X.  
    0018CBC4  59 00 5A 00 5B 00 5C 00 5D 00 5E 00 5F 00 60 00  Y.Z.[.\.].^._.`.  
    0018CBD4  61 00 62 00 63 00 64 00 65 00 66 00 67 00 68 00  a.b.c.d.e.f.g.h.  
    0018CBE4  69 00 6A 00 6B 00 6C 00 6D 00 6E 00 6F 00 70 00  i.j.k.l.m.n.o.p.  
    0018CBF4  71 00 72 00 73 00 74 00 75 00 76 00 77 00 78 00  q.r.s.t.u.v.w.x.  
    0018CC04  79 00 7A 00 7B 00 7C 00 7D 00 7E 00 00 00 00 00  y.z.{.|.}.~.....
    

    将0x1c数据 // char_t
    [Plain Text] 纯文本查看 复制代码
    0018D890  23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25  #"""""""""""##%%  
    0018D8A0  25 3F 28 38 23 23 34 2D 33 21 21 21 65 61
    

    转化成 // TABLE_AFTER_CONVERT
    [Plain Text] 纯文本查看 复制代码
    0018EDA0  02 00 00 00 5F 00 00 00 01 00 00 00 5F 00 00 00  ...._......._...  
    0018EDB0  01 00 00 00 01 00 00 00 01 00 00 00 5F 00 00 00  ............_...  
    0018EDC0  60 00 00 00 02 00 00 00 04 00 00 00 04 00 00 00  `...............  
    0018EDD0  04 00 00 00 1E 00 00 00 07 00 00 00 E7 07 00 00  ............ç...  
    0018EDE0  02 00 00 00 02 00 00 00 E3 07 00 00 0C 00 00 00  ........ã.......  
    0018EDF0  12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    


    算法描述
    [Plain Text] 纯文本查看 复制代码
    signed int __cdecl sub_426B4A(_WORD *a1, __int16 a2)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v2 = a1;
      result = 0;
      while ( *v2 != a2 )
      {
        ++result;
        ++v2;
        if ( result >= 0x5E )
          return 0;
      }
      return result;
    }
    -->
    v12 = 1;
    *a2 = 1;
    v6 = wcslen(a1) - 1;
    if ( v6 >= 0 )
    {
        v7 = &a1[v6];
        v8 = v6 + 1;
        do
        {
            *a2 += v12 * sub_426B4A(&v10, *v7);       // 找到对应字符的位置
            --v7;
            --v8;
            v12 *= 94;
        }
        while ( v8 );
    }
    


    第一次:
    0x23
    获得对应表中的位置为 2,故TABLE_AFTER_CONVERT[0] = 1 * 2 = 2 // index 从0开始算
    第二次:
    通过
    [Plain Text] 纯文本查看 复制代码
    v7 = sub_53D559(&v20, &v19, 1, 2);
    sub_544C27(&lpString, v7);
    v17 = (v3 + 4);
    sub_427752(lpString, v3 + 4);
    

    构成
    [Plain Text] 纯文本查看 复制代码
    wchat_t(0x22 0x22)
    TABLE_AFTER_CONVERT[1] = 1 * 1 + 94 * 1 = 0x5f
    

    第三次:
    [Plain Text] 纯文本查看 复制代码
    TABLE_AFTER_CONVERT[2] = 1
    

    后面根据代码即可推断出,然后对应到相应的验证
    [Plain Text] 纯文本查看 复制代码
    TABLE_AFTER_CONVERT[0] <= 0xA
    TABLE_AFTER_CONVERT[2] <= 0x64
    ...
    TABLE_AFTER_CONVERT[15] + 0x7D0 >= 0x7d4
    


    注意到,后面的处理日期,还有一些需要满足的check
    [Plain Text] 纯文本查看 复制代码
    int __thiscall sub_429A90(void *this)
    {
      // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
    
      v1 = this;
      sub_42B19D(&v42);
      v41 = *(v1 + 136);
      v36 = sub_53DD4E(&v42, 0)->tm_year + 1900;
      v37 = sub_53DD4E(&v42, 0)->tm_mon + 1;
      v38 = sub_53DD4E(&v42, 0)->tm_mday;
      v33 = sub_53DD4E(&v41, 0)->tm_year + 1900;
      v2 = sub_53DD4E(&v41, 0)->tm_mon + 1;
      v35 = sub_53DD4E(&v41, 0)->tm_mday;
      if ( !*(v1 + 120) )
      {
        .........
        .........
        .........
        if ( *(v1 + 122) )
          return 0;
        if ( *(*(v1 + 124) - 8) )
        {
          if ( sub_42790B(*(v1 + 124)) )            // check name
          {
            v4 = *(v1 + 128);
            if ( *(v4 - 2) )                        // check regcode
            {
              if ( sub_427A50(v4, 60) )
              {
                v33 = -1;
                v34 = -1;
                v35 = -1;
                sub_4266B3(*(v1 + 148), &v33);
                v6 = v5;
                if ( !(*(v1 + 44) & 2) || (*(*v1 + 8))(v1, &v33, v1 + 60) )
                {
                  if ( !(*(v1 + 44) & 1) || (*(*v1 + 4))(v1, &v33, v1 + 48) )
                  {
                    if ( !(*(v1 + 44) & 8) || (*(*v1 + 16))(v1, &v36, v1 + 0x54) )
                    {
                      if ( !(*(v1 + 44) & 4) )
                        return 0;
                      v10 = *v1;
                      v11 = v6;
                      unknown_libname_490(&v42);
                      if ( (*(v10 + 12))(v1, v11, v1 + 0x48) )
                        return 0;
                      v12 = GetTickCount();
                      if ( v12 % 3 != 1 )
                      {
                        if ( v12 % 3 != 2 )
                        {
                          v24 = 20;
                          goto LABEL_20;
                        }
                        v25 = 29;
                        v20 = 20;
                        goto LABEL_22;
                      }
                      v26 = 20;
                      v21 = 118;
                    }
                    else
                    {
                      v9 = GetTickCount();
                      if ( v9 % 3 != 1 )
                      {
                        if ( v9 % 3 != 2 )
                        {
                          v24 = 21;
                          goto LABEL_20;
                        }
                        v25 = 30;
                        v20 = 21;
                        goto LABEL_22;
                      }
                      v26 = 21;
                      v21 = 119;
                    }
                  }
                  else
                  {
                    v8 = GetTickCount();
                    if ( v8 % 3 != 1 )
                    {
                      if ( v8 % 3 != 2 )
                      {
                        v24 = 10;
                        goto LABEL_20;
                      }
                      v25 = 19;
                      v20 = 10;
    LABEL_22:
                      sub_42AED9(v1, 2u, v20, 0xCu, v25);
                      return 0;
                    }
                    v26 = 10;
                    v21 = 108;
                  }
                }
                else
                {
                  v7 = GetTickCount();
                  if ( v7 % 3 != 1 )
                  {
                    if ( v7 % 3 != 2 )
                    {
                      v24 = 11;
    LABEL_20:
                      sub_43DFD0(v1, 2u, v24);
                      return 0;
                    }
                    v25 = 20;
                    v20 = 11;
                    goto LABEL_22;
                  }
                  v26 = 11;
                  v21 = 109;
                }
                sub_427DC5(v1, 0x66u, v21, 2u, v26);
                return 0;
              }
            }
          }
        }
    LABEL_74:
        v17 = GetTickCount();
        if ( v17 % 3 == 1 )
        {
          sub_427DC5(v1, 0x68u, 0x6Cu, 4u, 0xAu);
        }
        else if ( v17 % 3 == 2 )
        {
          sub_42AED9(v1, 4u, 0xAu, 0xEu, 0x13u);
        }
        else
        {
          sub_43DFD0(v1, 4u, 0xAu);
        }
        return 0;
      }
      if ( *(v1 + 122) )
        return 0;
      if ( *(*(v1 + 124) - 8) || *(*(v1 + 128) - 8) )
        goto LABEL_74;
      v30 = -1;
      v31 = -1;
      v32 = -1;
      sub_4266B3(*(v1 + 148), &v30);
      v13 = *(v1 + 140);
      v14 = v13 == 0;
      if ( v13 <= 0 )
      {
    LABEL_66:
        if ( !v14 )
          goto LABEL_74;
        v16 = GetTickCount();
        if ( v16 % 3 != 1 )
        {
          if ( v16 % 3 != 2 )
          {
            v27 = 1;
    LABEL_84:
            sub_43DFD0(v1, 1u, v27);
            return 0;
          }
          v28 = 10;
          v22 = 1;
          goto LABEL_86;
        }
        v29 = 1;
        v23 = 99;
        goto LABEL_88;
      }
      if ( v13 > *(v1 + 8) )
      {
        v14 = v13 == 0;
        goto LABEL_66;
      }
      if ( *(v1 + 4) == 10 )
      {
        if ( !dword_689074 )
        {
          sub_429EF4(v1, v13 - 1);
          dword_689074 = 1;
        }
      }
      else if ( *(v1 + 4) == 20 )
      {
        if ( v36 != v33 || v37 != v2 || v38 != v35 )
        {
          sub_41F003(&v42, &v40, v41);
          v15 = *(v1 + 140) - abs(v40 / 86400);
          sub_429EF4(v1, v15);
        }
      }
      else if ( *(v1 + 4) == 21 && (v36 != v33 || v37 != v2 || v38 != v35) )
      {
        sub_429EF4(v1, v13 - 1);
      }
      return 0;
    }
    
    还有没有其他check就不知道了
    B段就是衔接然后判断md5了
    [mw_shl_code=text,true]
    {
      if ( sub_427100(v39 + 3, v36) )
      {
        v31 = -2;
        _CxxThrowException(&v31, &_TI1H);
      }
      lpWideCharStr = off_68360C;
      v13 = v12[31];
      LOBYTE(v42) = 3;
      sub_53DA79(&lpWideCharStr, aS_S, v12[36]);
      LOBYTE(v27) = HIBYTE(a2);
      std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(0);
      LOBYTE(v42) = 4;
      sub_425CF9(lpWideCharStr);
      sub_42B579(&v33);
      memset(&v23, 0, 0x41u);
      v14 = v28;
      if ( !v28 )
        v14 = MultiByteStr;
      v15 = *(a2 + 4);
      v16 = *a2;
      v11 = (*a2)-- < 1u;
      v17 = v29;
      *(a2 + 4) = v15 - v11;
      if ( _md5(v14, v16, v15, v14, v17, &v23) )
      {
        v30 = -2;
        _CxxThrowException(&v30, &_TI1H);
      }
      sub_544BA9(&v38, &v23);
      LOBYTE(v42) = 5;
      if ( wcscmp(v39[27], v38) )
      {
        v34 = -1;
        _CxxThrowException(&v34, &_TI1H);
      }
      v37 = 0;
      _CxxThrowException(&v37, &_TI1H);
    }
    


    v37=0的话,走到像catch的这种地方
    [Plain Text] 纯文本查看 复制代码
    .text:0042996E                         loc_42996E:                             ; DATA XREF: .rdata:stru_5929A0↓o
    .text:0042996E                         ;   catch(int) // owned by 429423
    .text:0042996E 83 7D 0C 00                             cmp     [ebp+_regcode], 0
    .text:00429972 0F 85 E6 00 00 00                       jnz     loc_429A5E
    .text:00429978 8D 45 B0                                lea     eax, [ebp+var_50]
    .text:0042997B 50                                      push    eax
    .text:0042997C E8 1C 18 00 00                          call    sub_42B19D
    .text:00429981 8B 7D B4                                mov     edi, [ebp+var_4C]
    .text:00429984 8B 00                                   mov     eax, [eax]
    .text:00429986 8B 1D 88 12 57 00                       mov     ebx, ds:GetTickCount
    .text:0042998C 59                                      pop     ecx
    .text:0042998D 89 87 84 00 00 00                       mov     [edi+84h], eax
    .text:00429993 89 87 88 00 00 00                       mov     [edi+88h], eax
    .text:00429999 FF D3                                   call    ebx ; GetTickCount
    .text:0042999B 6A 03                                   push    3
    .text:0042999D 33 D2                                   xor     edx, edx
    .text:0042999F 59                                      pop     ecx
    .text:004299A0 F7 F1                                   div     ecx
    .text:004299A2 4A                                      dec     edx
    .text:004299A3 74 21                                   jz      short loc_4299C6
    .text:004299A5 4A                                      dec     edx
    .text:004299A6 74 0D                                   jz      short loc_4299B5
    .text:004299A8 6A 00                                   push    0
    .text:004299AA 6A 02                                   push    2
    .text:004299AC 8B CF                                   mov     ecx, edi
    .text:004299AE E8 1D 46 01 00                          call    sub_43DFD0
    .text:004299B3 EB 20                                   jmp     short loc_4299D5
    .text:004299B5                         ; ---------------------------------------------------------------------------
    .text:004299B5
    .text:004299B5                         loc_4299B5:                             ; CODE XREF: sub_429389+61D↑j
    .text:004299B5 6A 09                                   push    9
    .text:004299B7 6A 0C                                   push    0Ch
    .text:004299B9 6A 00                                   push    0
    .text:004299BB 6A 02                                   push    2
    .text:004299BD 8B CF                                   mov     ecx, edi
    .text:004299BF E8 15 15 00 00                          call    sub_42AED9
    .text:004299C4 EB 0F                                   jmp     short loc_4299D5
    .text:004299C6                         ; ---------------------------------------------------------------------------
    .text:004299C6
    .text:004299C6                         loc_4299C6:                             ; CODE XREF: sub_429389+61A↑j
    .text:004299C6 6A 00                                   push    0
    .text:004299C8 6A 02                                   push    2
    .text:004299CA 6A 62                                   push    62h
    .text:004299CC 6A 66                                   push    66h
    .text:004299CE 8B CF                                   mov     ecx, edi
    .text:004299D0 E8 F0 E3 FF FF                          call    sub_427DC5
    .text:004299D5
    .text:004299D5                         loc_4299D5:                             ; CODE XREF: sub_429389+62A↑j
    .text:004299D5                                                                 ; sub_429389+63B↑j
    .text:004299D5 8B CF                                   mov     ecx, edi
    .text:004299D7 E8 B4 00 00 00                          call    sub_429A90
    .text:004299DC 66 83 7F 78 02                          cmp     word ptr [edi+78h], 2
    .text:004299E1 75 07                                   jnz     short loc_4299EA
    .text:004299E3 66 83 7F 7A 00                          cmp     word ptr [edi+7Ah], 0
    .text:004299E8 74 0E                                   jz      short loc_4299F8
    


    如上述所说,注意到sub_429A90还有一些check

    最后手工构造了下(上面的密文),显示成功,但可能有些check没处理完,看了下注册表解密生成的这样的
    [Plain Text] 纯文本查看 复制代码
    L"1\n2\[url=mailto:nnisy@chinapyg.com]nnisy@chinapyg.com[/url]\nttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt\n5DF8F0F7\n5DF8F0F7\n0\n"
    


    KeyGen的话,生成一组rsa数据,其中模数长度为0x1180,指数为0x15233,然后得到明文,模数转成60进制,前者用于输入,后者用于patch

    评分

    参与人数 9威望 +35 飘云币 +45 收起 理由
    zhouwensmile + 1 + 1 PYG有你更精彩!
    Nisy + 10 + 10 感谢发布原创作品,PYG有你更精彩!
    风轻云淡 + 1 + 1 PYG有你更精彩!
    F-T + 1 + 1 原创精品 感谢分享!
    dryzh + 5 + 5 支持表哥来个Pythone算法注册机
    侠骨留香 + 1 + 1 感谢发布原创作品,PYG有你更精彩!
    不破不立 + 1 + 1
    Rooking + 10 + 20 赞一个,这个帖子很给力!
    gagmeng + 5 + 5 原创精品 感谢分享!

    查看全部评分

  • TA的每日心情
    无聊
    昨天 12:31
  • 签到天数: 1652 天

    [LV.Master]伴坛终老

    发表于 2019-12-18 09:05:23 | 显示全部楼层
    膜拜下大神!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2019-3-25 15:21
  • 签到天数: 487 天

    [LV.9]以坛为家II

    发表于 2019-12-18 10:09:20 | 显示全部楼层
    膜拜大神 我就看了一下 没敢看算法 对我来说太复杂了 感谢分享 学习了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    昨天 10:30
  • 签到天数: 965 天

    [LV.10]以坛为家III

    发表于 2019-12-18 10:30:34 | 显示全部楼层
    精彩的分析,收藏学习
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    4 天前
  • 签到天数: 53 天

    [LV.5]常住居民I

    发表于 2019-12-18 11:02:48 | 显示全部楼层
    这个一定要顶一下
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2018-7-9 22:48
  • 签到天数: 16 天

    [LV.4]偶尔看看III

    发表于 2019-12-18 11:09:01 | 显示全部楼层
    表哥静态能力好强大,先Mark,坐等表哥Python算法学习
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    昨天 21:32
  • 签到天数: 977 天

    [LV.10]以坛为家III

    发表于 2019-12-18 18:28:36 | 显示全部楼层
    太过精彩,小白们亚历山大
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    2 小时前
  • 签到天数: 975 天

    [LV.10]以坛为家III

    发表于 2019-12-19 07:21:37 | 显示全部楼层
    虽然看不懂,但这么多人加分,应该很难牛逼。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    无聊
    3 天前
  • 签到天数: 120 天

    [LV.7]常住居民III

    发表于 2019-12-20 07:41:28 | 显示全部楼层
    虽然看不懂,但是后期应该会看懂。谢谢大神分享
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 快速注册

    本版积分规则

    关闭

    站长推荐上一条 /1 下一条

    小黑屋|手机版|Archiver|飘云阁安全论坛 ( 粤ICP备15107817号-2 )|扫码赞助

    Powered by Discuz! X3.3© 2001-2017 Comsenz Inc.

      
    快速回复 返回顶部 返回列表