- UID
- 70756
注册时间2010-11-1
阅读权限85
最后登录1970-1-1
见习版主
 
TA的每日心情 | 擦汗
2016-4-19 21:35 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
本帖最后由 wai1216 于 2019-12-18 00:19 编辑
作者调用miracl大数据库完成了rsa的加密,通过lstrenA巧妙了的截断了密文数据,之后将0x3c长度的数据,分成0x1c(A)和0x20(B)两段做check
其中A段是段比较零散的验证
而B段是通过swprintf %s.{%s} 拼接 regedit的目录以及用户邮箱组成这样格式的 {500188E5-47D9-4d40-8738-C820081E87B0}.{nisy@chinapyg.com}的md5
先说加密:
[Plain Text] 纯文本查看 复制代码
sub_42C7CD(v8, v7, &v19, &String, 0x1001u, 60, 1180, aDh43ydl65izsin, aO2x)
sub_42C7CD(int a1, int a2, char *a3, void *a4, size_t a5, int a6, int a7, int a8, int a9)
LABEL_23:
v15 = _mirsys(100, 0);
*(v15 + 548) = 1; // ->ERCON
*(v15 + 564) = a6; // ->IOBASE = 60
v16 = __mirvar(0);
v21 = __mirvar(0);
v17 = __mirvar(0);
v22 = __mirvar(0);
__cinstr(v16, a3); // key
__cinstr(v17, a8); // DH43Ydl65IZsIncKnCukuUZgGk8lLSBiC9JlaO5pxiioSXtl5iLTQEU1tnJMBYYUrjePIG9E6J210QFgWwjuRdsc2aw53GqaZ8NZn1itpwvhl52sBgi1RnIdSZhoMh5HDsHKqfILDCZFv6v28cEprsePAMJDPZRYkcZfO67eOCB7Nl66mjqbMZxkieIbqO773J8Qt94n
__cinstr(v22, a9); // O2x --> 0x15233(16)
if ( _mr_compare(v16, v17) == -1 )
{
__powmod(v16, v16, v22, v17, v21);
_big_to_bytes(v23, v21, a4, 0);
}
_cleanup(v16);
_cleanup(v21);
_cleanup(v17);
_cleanup(v22);
_mirexit();
LABEL_27:
可以看到,这里使用powmod(key,n,e,c)完成了rsa加密算法,之后再将big_c转换成bytes_c,注意到mip->IOBASE=60,即作者将n/e/key转成60进制存储
另外mip->ERCON = 1,大概用于如果big_to_bytes没有转换成功,不退出程序 // v23 = 1180 / 8 - 1 = 146(0x92)
之后将check A段
[Plain Text] 纯文本查看 复制代码
int __thiscall sub_427100(void *this, wchar_t *lpString)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = lpString;
v3 = this;
if ( wcslen(lpString) != 60 )
return -1;
sub_544B54(&v20, v2);
v5 = *v2;
v21 = 0;
sub_53D1A0(&lpString, v5, 1);
LOBYTE(v21) = 1;
sub_427752(lpString, v3);
if ( !(GetTickCount() % 3) && *v3 > 0xAu )
goto LABEL_75;
v7 = sub_53D559(&v20, &v19, 1, 2);
LOBYTE(v21) = 2;
sub_544C27(&lpString, v7);
LOBYTE(v21) = 1;
sub_544AE0(&v19);
v17 = (v3 + 4);
sub_427752(lpString, v3 + 4);
CString::operator=(v2[3]);
sub_427752(lpString, v3 + 8);
if ( !(GetTickCount() & 3) && *(v3 + 8) > 0x64u )
goto LABEL_75;
v8 = sub_53D559(&v20, &v19, 4, 2);
LOBYTE(v21) = 3;
sub_544C27(&lpString, v8);
LOBYTE(v21) = 1;
sub_544AE0(&v19);
sub_427752(lpString, v3 + 12);
if ( !(GetTickCount() % 5) && *(v3 + 12) > 0x3E8u )
goto LABEL_75;
CString::operator=(v2[6]);
sub_427752(lpString, v3 + 16);
if ( !(GetTickCount() % 3) && *(v3 + 16) > 0x64u )
goto LABEL_75;
CString::operator=(v2[7]);
sub_427752(lpString, v3 + 20);
if ( !(GetTickCount() & 3) && *(v3 + 20) > 0x64u )
goto LABEL_75;
CString::operator=(v2[8]);
sub_427752(lpString, v3 + 24);
if ( !(GetTickCount() % 5) && *(v3 + 24) > 0x64u )
goto LABEL_75;
v9 = sub_53D559(&v20, &v19, 9, 2);
LOBYTE(v21) = 4;
sub_544C27(&lpString, v9);
LOBYTE(v21) = 1;
sub_544AE0(&v19);
sub_427752(lpString, v3 + 28);
if ( !(GetTickCount() % 3) && *(v3 + 28) > 0x3E8u )
goto LABEL_75;
v10 = sub_53D559(&v20, &v19, 0xB, 2);
LOBYTE(v21) = 5;
sub_544C27(&lpString, v10);
LOBYTE(v21) = 1;
sub_544AE0(&v19);
v19 = (v3 + 32);
sub_427752(lpString, v3 + 32);
CString::operator=(v2[13]);
sub_427717(lpString, v3 + 36);
if ( *(v3 + 36) < -1 || !(GetTickCount() & 3) && *(v3 + 36) > 0x64 )
goto LABEL_75;
CString::operator=(v2[14]);
sub_427717(lpString, v3 + 40);
if ( *(v3 + 40) < -1 || !(GetTickCount() % 5) && *(v3 + 40) > 0x64 )
goto LABEL_75;
CString::operator=(v2[15]);
sub_427717(lpString, v3 + 44);
if ( *(v3 + 44) < -1 || !(GetTickCount() % 3) && *(v3 + 44) > 0x64 )
goto LABEL_75;
CString::operator=(v2[16]);
sub_427717(lpString, v3 + 48);
if ( *(v3 + 48) < -1 || !(GetTickCount() & 3) && *(v3 + 48) > 0x64 )
goto LABEL_75;
CString::operator=(v2[17]);
sub_427717(lpString, v3 + 52);
if ( *(v3 + 52) < -1 || !(GetTickCount() % 5) && *(v3 + 52) > 0x64 )
goto LABEL_75;
CString::operator=(v2[18]);
sub_427717(lpString, v3 + 56);
if ( *(v3 + 56) < -1 || !(GetTickCount() % 3) && *(v3 + 56) > 0x64 )
goto LABEL_75;
CString::operator=(v2[19]);
sub_427717(lpString, v3 + 60);
v11 = *(v3 + 60);
if ( v11 < -1 )
goto LABEL_75;
if ( v11 != -1 )
*(v3 + 60) = v11 + 2000;
if ( !(GetTickCount() & 3) )
{
v12 = *(v3 + 60);
if ( v12 != -1 && v12 < 0x7D4 )
goto LABEL_75;
}
CString::operator=(v2[20]);
sub_427717(lpString, v3 + 64);
if ( *(v3 + 64) < 0xFFFFFFFF || !(GetTickCount() % 5) && *(v3 + 64) > 0xC )
goto LABEL_75;
CString::operator=(v2[21]);
sub_427717(lpString, v3 + 68);
if ( *(v3 + 68) < -1 || !(GetTickCount() % 3) && *(v3 + 68) > 0x1F )
goto LABEL_75;
CString::operator=(v2[22]);
sub_427717(lpString, v3 + 72);
v13 = *(v3 + 72);
if ( v13 < -1 )
goto LABEL_75;
if ( v13 != -1 )
*(v3 + 72) = v13 + 0x7D0;
if ( !(GetTickCount() & 3) && *(v3 + 72) > 0x7E8 )
goto LABEL_75;
CString::operator=(v2[23]);
sub_427717(lpString, v3 + 76);
if ( *(v3 + 76) < -1 || !(GetTickCount() % 5) && *(v3 + 76) > 0xC )
goto LABEL_75;
CString::operator=(v2[24]);
sub_427717(lpString, v3 + 80);
if ( *(v3 + 80) < -1 || !(GetTickCount() % 3) && *(v3 + 80) > 0x1F )
goto LABEL_75;
if ( ((CString::operator=(v2[25]), sub_427717(lpString, v3 + 84), GetTickCount() % 3) || !*(v3 + 84))
&& ((CString::operator=(v2[26]), sub_427717(lpString, v3 + 88), GetTickCount() & 3) || !*(v3 + 88))
&& ((CString::operator=(v2[27]), sub_427717(lpString, v3 + 92), GetTickCount() % 5) || !*(v3 + 92)) )
{
v14 = CString::Mid(&v20, &v18, 28);
LOBYTE(v21) = 6;
sub_544C27((v3 + 96), v14);
LOBYTE(v21) = 1;
sub_544AE0(&v18);
if ( *v3 == 1 )
{
v15 = v19;
v16 = *v17;
if ( *v17 & 1 )
*v19 |= 1u;
if ( v16 & 2 )
*v15 |= 2u;
*v17 = 0;
}
v6 = 0;
}
else
{
LABEL_75:
v6 = -1;
}
LOBYTE(v21) = 0;
sub_544AE0(&lpString);
v21 = -1;
sub_544AE0(&v20);
return v6;
}
除掉GetTickCount(),把其当作每个check都要满足,即不goto LABEL_75
通过如下数据进行举例
将得到密文
[Plain Text] 纯文本查看 复制代码
0343F768 25 00 00 00 74 F7 43 03 00 00 00 00 41 41 41 41 %...t÷C.....AAAA
0343F778 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0343F788 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0343F798 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0343F7A8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0343F7B8 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0343F7C8 41 00 64 35 36 35 65 63 35 35 65 66 63 61 66 32 A.d565ec55efcaf2
0343F7D8 64 32 38 61 64 30 62 38 31 34 37 35 33 30 62 32 d28ad0b8147530b2
0343F7E8 61 65 21 21 21 33 2D 34 23 23 38 28 3F 25 25 25 ae!!!3-4##8(?%%%
0343F7F8 23 23 22 22 22 22 22 22 22 22 22 22 22 23 00 00 ##"""""""""""#..
转换后
[Plain Text] 纯文本查看 复制代码
0018D890 23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25 #"""""""""""##%%
0018D8A0 25 3F 28 38 23 23 34 2D 33 21 21 21 65 61 32 62 %?(8##4-3!!!ea2b
0018D8B0 30 33 35 37 34 31 38 62 30 64 61 38 32 64 32 66 0357418b0da82d2f
0018D8C0 61 63 66 65 35 35 63 65 35 36 35 64 00 41 41 41 acfe55ce565d.AAA
0018D8D0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0018D8E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0018D8F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0018D900 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0018D910 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0018D920 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA..............
后面的AAAAAAAAAAA可以看作padding,没有细看具体之后有啥作用
作者在过程中使用的大小0x5e字符串表,从0x21开始 // 这里使用的wchat_t
[Plain Text] 纯文本查看 复制代码
0018CB54 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 !.".#.$.%.&.'.(.
0018CB64 29 00 2A 00 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 ).*.+.,.-.../.0.
0018CB74 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 1.2.3.4.5.6.7.8.
0018CB84 39 00 3A 00 3B 00 3C 00 3D 00 3E 00 3F 00 40 00 9.:.;.<.=.>.?.@.
0018CB94 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 A.B.C.D.E.F.G.H.
0018CBA4 49 00 4A 00 4B 00 4C 00 4D 00 4E 00 4F 00 50 00 I.J.K.L.M.N.O.P.
0018CBB4 51 00 52 00 53 00 54 00 55 00 56 00 57 00 58 00 Q.R.S.T.U.V.W.X.
0018CBC4 59 00 5A 00 5B 00 5C 00 5D 00 5E 00 5F 00 60 00 Y.Z.[.\.].^._.`.
0018CBD4 61 00 62 00 63 00 64 00 65 00 66 00 67 00 68 00 a.b.c.d.e.f.g.h.
0018CBE4 69 00 6A 00 6B 00 6C 00 6D 00 6E 00 6F 00 70 00 i.j.k.l.m.n.o.p.
0018CBF4 71 00 72 00 73 00 74 00 75 00 76 00 77 00 78 00 q.r.s.t.u.v.w.x.
0018CC04 79 00 7A 00 7B 00 7C 00 7D 00 7E 00 00 00 00 00 y.z.{.|.}.~.....
将0x1c数据 // char_t
[Plain Text] 纯文本查看 复制代码
0018D890 23 22 22 22 22 22 22 22 22 22 22 22 23 23 25 25 #"""""""""""##%%
0018D8A0 25 3F 28 38 23 23 34 2D 33 21 21 21 65 61
转化成 // TABLE_AFTER_CONVERT
[Plain Text] 纯文本查看 复制代码
0018EDA0 02 00 00 00 5F 00 00 00 01 00 00 00 5F 00 00 00 ...._......._...
0018EDB0 01 00 00 00 01 00 00 00 01 00 00 00 5F 00 00 00 ............_...
0018EDC0 60 00 00 00 02 00 00 00 04 00 00 00 04 00 00 00 `...............
0018EDD0 04 00 00 00 1E 00 00 00 07 00 00 00 E7 07 00 00 ............ç...
0018EDE0 02 00 00 00 02 00 00 00 E3 07 00 00 0C 00 00 00 ........ã.......
0018EDF0 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
算法描述
[Plain Text] 纯文本查看 复制代码
signed int __cdecl sub_426B4A(_WORD *a1, __int16 a2)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v2 = a1;
result = 0;
while ( *v2 != a2 )
{
++result;
++v2;
if ( result >= 0x5E )
return 0;
}
return result;
}
-->
v12 = 1;
*a2 = 1;
v6 = wcslen(a1) - 1;
if ( v6 >= 0 )
{
v7 = &a1[v6];
v8 = v6 + 1;
do
{
*a2 += v12 * sub_426B4A(&v10, *v7); // 找到对应字符的位置
--v7;
--v8;
v12 *= 94;
}
while ( v8 );
}
第一次:
0x23
获得对应表中的位置为 2,故TABLE_AFTER_CONVERT[0] = 1 * 2 = 2 // index 从0开始算
第二次:
通过
[Plain Text] 纯文本查看 复制代码
v7 = sub_53D559(&v20, &v19, 1, 2);
sub_544C27(&lpString, v7);
v17 = (v3 + 4);
sub_427752(lpString, v3 + 4);
构成
[Plain Text] 纯文本查看 复制代码
wchat_t(0x22 0x22)
TABLE_AFTER_CONVERT[1] = 1 * 1 + 94 * 1 = 0x5f
第三次:
[Plain Text] 纯文本查看 复制代码
TABLE_AFTER_CONVERT[2] = 1
后面根据代码即可推断出,然后对应到相应的验证
[Plain Text] 纯文本查看 复制代码
TABLE_AFTER_CONVERT[0] <= 0xA
TABLE_AFTER_CONVERT[2] <= 0x64
...
TABLE_AFTER_CONVERT[15] + 0x7D0 >= 0x7d4
注意到,后面的处理日期,还有一些需要满足的check
[Plain Text] 纯文本查看 复制代码
int __thiscall sub_429A90(void *this)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = this;
sub_42B19D(&v42);
v41 = *(v1 + 136);
v36 = sub_53DD4E(&v42, 0)->tm_year + 1900;
v37 = sub_53DD4E(&v42, 0)->tm_mon + 1;
v38 = sub_53DD4E(&v42, 0)->tm_mday;
v33 = sub_53DD4E(&v41, 0)->tm_year + 1900;
v2 = sub_53DD4E(&v41, 0)->tm_mon + 1;
v35 = sub_53DD4E(&v41, 0)->tm_mday;
if ( !*(v1 + 120) )
{
.........
.........
.........
if ( *(v1 + 122) )
return 0;
if ( *(*(v1 + 124) - 8) )
{
if ( sub_42790B(*(v1 + 124)) ) // check name
{
v4 = *(v1 + 128);
if ( *(v4 - 2) ) // check regcode
{
if ( sub_427A50(v4, 60) )
{
v33 = -1;
v34 = -1;
v35 = -1;
sub_4266B3(*(v1 + 148), &v33);
v6 = v5;
if ( !(*(v1 + 44) & 2) || (*(*v1 + 8))(v1, &v33, v1 + 60) )
{
if ( !(*(v1 + 44) & 1) || (*(*v1 + 4))(v1, &v33, v1 + 48) )
{
if ( !(*(v1 + 44) & 8) || (*(*v1 + 16))(v1, &v36, v1 + 0x54) )
{
if ( !(*(v1 + 44) & 4) )
return 0;
v10 = *v1;
v11 = v6;
unknown_libname_490(&v42);
if ( (*(v10 + 12))(v1, v11, v1 + 0x48) )
return 0;
v12 = GetTickCount();
if ( v12 % 3 != 1 )
{
if ( v12 % 3 != 2 )
{
v24 = 20;
goto LABEL_20;
}
v25 = 29;
v20 = 20;
goto LABEL_22;
}
v26 = 20;
v21 = 118;
}
else
{
v9 = GetTickCount();
if ( v9 % 3 != 1 )
{
if ( v9 % 3 != 2 )
{
v24 = 21;
goto LABEL_20;
}
v25 = 30;
v20 = 21;
goto LABEL_22;
}
v26 = 21;
v21 = 119;
}
}
else
{
v8 = GetTickCount();
if ( v8 % 3 != 1 )
{
if ( v8 % 3 != 2 )
{
v24 = 10;
goto LABEL_20;
}
v25 = 19;
v20 = 10;
LABEL_22:
sub_42AED9(v1, 2u, v20, 0xCu, v25);
return 0;
}
v26 = 10;
v21 = 108;
}
}
else
{
v7 = GetTickCount();
if ( v7 % 3 != 1 )
{
if ( v7 % 3 != 2 )
{
v24 = 11;
LABEL_20:
sub_43DFD0(v1, 2u, v24);
return 0;
}
v25 = 20;
v20 = 11;
goto LABEL_22;
}
v26 = 11;
v21 = 109;
}
sub_427DC5(v1, 0x66u, v21, 2u, v26);
return 0;
}
}
}
}
LABEL_74:
v17 = GetTickCount();
if ( v17 % 3 == 1 )
{
sub_427DC5(v1, 0x68u, 0x6Cu, 4u, 0xAu);
}
else if ( v17 % 3 == 2 )
{
sub_42AED9(v1, 4u, 0xAu, 0xEu, 0x13u);
}
else
{
sub_43DFD0(v1, 4u, 0xAu);
}
return 0;
}
if ( *(v1 + 122) )
return 0;
if ( *(*(v1 + 124) - 8) || *(*(v1 + 128) - 8) )
goto LABEL_74;
v30 = -1;
v31 = -1;
v32 = -1;
sub_4266B3(*(v1 + 148), &v30);
v13 = *(v1 + 140);
v14 = v13 == 0;
if ( v13 <= 0 )
{
LABEL_66:
if ( !v14 )
goto LABEL_74;
v16 = GetTickCount();
if ( v16 % 3 != 1 )
{
if ( v16 % 3 != 2 )
{
v27 = 1;
LABEL_84:
sub_43DFD0(v1, 1u, v27);
return 0;
}
v28 = 10;
v22 = 1;
goto LABEL_86;
}
v29 = 1;
v23 = 99;
goto LABEL_88;
}
if ( v13 > *(v1 + 8) )
{
v14 = v13 == 0;
goto LABEL_66;
}
if ( *(v1 + 4) == 10 )
{
if ( !dword_689074 )
{
sub_429EF4(v1, v13 - 1);
dword_689074 = 1;
}
}
else if ( *(v1 + 4) == 20 )
{
if ( v36 != v33 || v37 != v2 || v38 != v35 )
{
sub_41F003(&v42, &v40, v41);
v15 = *(v1 + 140) - abs(v40 / 86400);
sub_429EF4(v1, v15);
}
}
else if ( *(v1 + 4) == 21 && (v36 != v33 || v37 != v2 || v38 != v35) )
{
sub_429EF4(v1, v13 - 1);
}
return 0;
}
还有没有其他check就不知道了
B段就是衔接然后判断md5了
[mw_shl_code=text,true]
{
if ( sub_427100(v39 + 3, v36) )
{
v31 = -2;
_CxxThrowException(&v31, &_TI1H);
}
lpWideCharStr = off_68360C;
v13 = v12[31];
LOBYTE(v42) = 3;
sub_53DA79(&lpWideCharStr, aS_S, v12[36]);
LOBYTE(v27) = HIBYTE(a2);
std::basic_string<char,std::char_traits<char>,std::allocator<char>>::_Tidy(0);
LOBYTE(v42) = 4;
sub_425CF9(lpWideCharStr);
sub_42B579(&v33);
memset(&v23, 0, 0x41u);
v14 = v28;
if ( !v28 )
v14 = MultiByteStr;
v15 = *(a2 + 4);
v16 = *a2;
v11 = (*a2)-- < 1u;
v17 = v29;
*(a2 + 4) = v15 - v11;
if ( _md5(v14, v16, v15, v14, v17, &v23) )
{
v30 = -2;
_CxxThrowException(&v30, &_TI1H);
}
sub_544BA9(&v38, &v23);
LOBYTE(v42) = 5;
if ( wcscmp(v39[27], v38) )
{
v34 = -1;
_CxxThrowException(&v34, &_TI1H);
}
v37 = 0;
_CxxThrowException(&v37, &_TI1H);
}
v37=0的话,走到像catch的这种地方
[Plain Text] 纯文本查看 复制代码
.text:0042996E loc_42996E: ; DATA XREF: .rdata:stru_5929A0↓o
.text:0042996E ; catch(int) // owned by 429423
.text:0042996E 83 7D 0C 00 cmp [ebp+_regcode], 0
.text:00429972 0F 85 E6 00 00 00 jnz loc_429A5E
.text:00429978 8D 45 B0 lea eax, [ebp+var_50]
.text:0042997B 50 push eax
.text:0042997C E8 1C 18 00 00 call sub_42B19D
.text:00429981 8B 7D B4 mov edi, [ebp+var_4C]
.text:00429984 8B 00 mov eax, [eax]
.text:00429986 8B 1D 88 12 57 00 mov ebx, ds:GetTickCount
.text:0042998C 59 pop ecx
.text:0042998D 89 87 84 00 00 00 mov [edi+84h], eax
.text:00429993 89 87 88 00 00 00 mov [edi+88h], eax
.text:00429999 FF D3 call ebx ; GetTickCount
.text:0042999B 6A 03 push 3
.text:0042999D 33 D2 xor edx, edx
.text:0042999F 59 pop ecx
.text:004299A0 F7 F1 div ecx
.text:004299A2 4A dec edx
.text:004299A3 74 21 jz short loc_4299C6
.text:004299A5 4A dec edx
.text:004299A6 74 0D jz short loc_4299B5
.text:004299A8 6A 00 push 0
.text:004299AA 6A 02 push 2
.text:004299AC 8B CF mov ecx, edi
.text:004299AE E8 1D 46 01 00 call sub_43DFD0
.text:004299B3 EB 20 jmp short loc_4299D5
.text:004299B5 ; ---------------------------------------------------------------------------
.text:004299B5
.text:004299B5 loc_4299B5: ; CODE XREF: sub_429389+61D↑j
.text:004299B5 6A 09 push 9
.text:004299B7 6A 0C push 0Ch
.text:004299B9 6A 00 push 0
.text:004299BB 6A 02 push 2
.text:004299BD 8B CF mov ecx, edi
.text:004299BF E8 15 15 00 00 call sub_42AED9
.text:004299C4 EB 0F jmp short loc_4299D5
.text:004299C6 ; ---------------------------------------------------------------------------
.text:004299C6
.text:004299C6 loc_4299C6: ; CODE XREF: sub_429389+61A↑j
.text:004299C6 6A 00 push 0
.text:004299C8 6A 02 push 2
.text:004299CA 6A 62 push 62h
.text:004299CC 6A 66 push 66h
.text:004299CE 8B CF mov ecx, edi
.text:004299D0 E8 F0 E3 FF FF call sub_427DC5
.text:004299D5
.text:004299D5 loc_4299D5: ; CODE XREF: sub_429389+62A↑j
.text:004299D5 ; sub_429389+63B↑j
.text:004299D5 8B CF mov ecx, edi
.text:004299D7 E8 B4 00 00 00 call sub_429A90
.text:004299DC 66 83 7F 78 02 cmp word ptr [edi+78h], 2
.text:004299E1 75 07 jnz short loc_4299EA
.text:004299E3 66 83 7F 7A 00 cmp word ptr [edi+7Ah], 0
.text:004299E8 74 0E jz short loc_4299F8
如上述所说,注意到sub_429A90还有一些check
最后手工构造了下(上面的密文),显示成功,但可能有些check没处理完,看了下注册表解密生成的这样的
[Plain Text] 纯文本查看 复制代码
L"1\n2\[url=mailto:nnisy@chinapyg.com]nnisy@chinapyg.com[/url]\nttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt\n5DF8F0F7\n5DF8F0F7\n0\n"
KeyGen的话,生成一组rsa数据,其中模数长度为0x1180,指数为0x15233,然后得到明文,模数转成60进制,前者用于输入,后者用于patch |
评分
-
查看全部评分
|
[复制链接]
IP卡
发表于 2019-12-18 00:12:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2019-12-18 09:05:23
发表于 2019-12-18 10:09:20
发表于 2019-12-18 11:02:48
发表于 2019-12-18 11:09:01
发表于 2019-12-20 07:41:28