一个裸奔的递归算法的keygenme

KaQqi · 发表于 2019-5-16 19:58

本帖最后由 KaQqi 于 2019-5-19 16:25 编辑

成功或者失败提示：

要求：keygen
https://www.lanzouj.com/i46mpna

楼下大佬太强了
视频：https://www.bilibili.com/video/av52823122/

梦游枪手 · 发表于 2019-5-16 22:48

本帖最后由梦游枪手于 2019-5-16 22:53 编辑

有两个bug说下第一个

这里使用了注册码的前两位来计算真正的注册码，这样子下面的判断不可能为成功，楼主是想用输入的数字的前两位计算注册码吗？
第二个

count没有在判断结束后清零，导致realcode在每次判断后都会跟之前的注册码叠加在一起，在判断结束后应该将realcode和count一起清零
附上python写的注册机，虽然现在还不知道对不对

[Python] 纯文本查看 复制代码

tablesize=0
table=[0]*10000
realcode=[0]*10000
stringtable=[0]*100
stringcount=0
def rowtostring():
    global stringcount
    for i in range(1,tablesize+1):
        realcode[stringcount]=stringtable[i]+0x30
        stringcount+=1
    return
def cellhadnotnum(row,col):
    for i in range(1,col+1):
        if table[100 * row + i] == 1:
            return False
        if row - i >= 0 and table[100 * (row - i) + col - i] == 1:
            return False;
        if row - i <= tablesize and table[100 * (i + row) + col - i] == 1:
             return False;
    return True
def calcrealcode(col):
    if col>tablesize:
        return 0
    for row in range(1,tablesize+1):
        if cellhadnotnum(row,col):
            table[100*row+col]=1
            stringtable[col]=row
            if col==tablesize:
                rowtostring()
                table[100*row+col]=0
            else:
                calcrealcode(col+1)
                table[100*row+col]=0
    stringtable[col]=0
if __name__=='__main__':
    inputnum=raw_input()
    num=[]
    for i in inputnum:
        num.append(ord(i)-ord('0'))
    if len(num)>=2:
        tablesize=(num[0]*0x5c+8*num[1])%0x100%10
        if tablesize==0:
            tablesize=9
        calcrealcode(1)
    code=''
    for i in range(stringcount):
        code+=chr(realcode[i]+0x30)
    stringcount=0
    print code

weikun444 · 发表于 2019-5-16 20:53

int __thiscall sub_401370(_DWORD *this)
{
  int v1; // ecx
  int result; // eax
  int v3; // ecx
  int v4; // ecx
  int v5; // ecx
  int v6; // ecx
  int v7; // ecx
  int v8; // ecx
  int v9; // ecx
  int v10; // ecx
  int v11; // ecx
  int v12; // [esp-8h] [ebp-C0h]
  int v13; // [esp-4h] [ebp-BCh]
  _DWORD *v14; // [esp+4h] [ebp-B4h]
  int v15; // [esp+8h] [ebp-B0h]
  char v16; // [esp+Ch] [ebp-ACh]
  char v17; // [esp+10h] [ebp-A8h]
  int *v18; // [esp+14h] [ebp-A4h]
  char v19; // [esp+18h] [ebp-A0h]
  char v20; // [esp+1Ch] [ebp-9Ch]
  int *v21; // [esp+20h] [ebp-98h]
  char v22; // [esp+24h] [ebp-94h]
  char v23; // [esp+28h] [ebp-90h]
  int *v24; // [esp+2Ch] [ebp-8Ch]
  char v25; // [esp+30h] [ebp-88h]
  char v26; // [esp+34h] [ebp-84h]
  int *v27; // [esp+38h] [ebp-80h]
  char v28; // [esp+3Ch] [ebp-7Ch]
  char v29; // [esp+40h] [ebp-78h]
  int *v30; // [esp+44h] [ebp-74h]
  char v31; // [esp+48h] [ebp-70h]
  char v32; // [esp+4Ch] [ebp-6Ch]
  int *v33; // [esp+50h] [ebp-68h]
  char v34; // [esp+54h] [ebp-64h]
  char v35; // [esp+58h] [ebp-60h]
  int *v36; // [esp+5Ch] [ebp-5Ch]
  char v37; // [esp+60h] [ebp-58h]
  char v38; // [esp+64h] [ebp-54h]
  int *v39; // [esp+68h] [ebp-50h]
  int v40; // [esp+6Ch] [ebp-4Ch]
  char v41; // [esp+70h] [ebp-48h]
  char v42; // [esp+74h] [ebp-44h]
  int *v43; // [esp+78h] [ebp-40h]
  int v44; // [esp+7Ch] [ebp-3Ch]
  char v45; // [esp+80h] [ebp-38h]
  char v46; // [esp+84h] [ebp-34h]
  int *v47; // [esp+88h] [ebp-30h]
  size_t i; // [esp+8Ch] [ebp-2Ch]
  char v49; // [esp+93h] [ebp-25h]
  char v50; // [esp+94h] [ebp-24h]
  char *v51; // [esp+98h] [ebp-20h]
  char v52; // [esp+9Ch] [ebp-1Ch]
  char v53; // [esp+A0h] [ebp-18h]
  char v54; // [esp+A4h] [ebp-14h]
  char *Str; // [esp+A8h] [ebp-10h]
  int v56; // [esp+B4h] [ebp-4h]

  v14 = this;
  QLineEdit::text(this[9], &v54);
  v56 = 0;
  QString::toLatin1(&v54, &v50);
  LOBYTE(v56) = 1;
  v51 = QByteArray::data((QByteArray *)&v50);
  QLineEdit::text(v14[13], &v53);
  LOBYTE(v56) = 2;
  QString::toLatin1(&v53, &v52);
  LOBYTE(v56) = 3;
  Str = QByteArray::data((QByteArray *)&v52);
  for ( i = 0; i < strlen(Str); ++i )
Str[i] -= 48;
  if ( *v51 >= 48 && *v51 <= 57 )
  {
if ( v51[1] >= 48 && v51[1] <= 57 )
{
   v49 = (char)(92 * *Str + 8 * Str[1]) % 10;
   if ( !v49 )
      v49 = 9;
   dword_40CAD8 = v49;
   sub_401290(1);
   if ( !strcmp(Str1, Str) )
   {
      QString::QString((QString *)&v38, "You win.");
      LOBYTE(v56) = 8;
      QString::QString((QString *)&v37, "Success!");
      LOBYTE(v56) = 9;
      v13 = 0;
      v12 = v4;
      v39 = &v12;
      unknown_libname_1(1024);
      QMessageBox::information(v14, &v37, &v38);
      LOBYTE(v56) = 8;
      QString::~QString((QString *)&v37);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v38);
   }
   else
   {
      QString::QString((QString *)&v35, "failed");
      LOBYTE(v56) = 10;
      QString::QString((QString *)&v34, "warning");
      LOBYTE(v56) = 11;
      v13 = 0;
      v12 = v5;
      v36 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v34, &v35);
      LOBYTE(v56) = 10;
      QString::~QString((QString *)&v34);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v35);
      QString::QString((QString *)&v32, "Nuclear missile launched.");
      LOBYTE(v56) = 12;
      QString::QString((QString *)&v31, "warning");
      LOBYTE(v56) = 13;
      v13 = 0;
      v12 = v6;
      v33 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v31, &v32);
      LOBYTE(v56) = 12;
      QString::~QString((QString *)&v31);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v32);
      QString::QString((QString *)&v29, "Iron Curtain Activated");
      LOBYTE(v56) = 14;
      QString::QString((QString *)&v28, "warning");
      LOBYTE(v56) = 15;
      v13 = 0;
      v12 = v7;
      v30 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v28, &v29);
      LOBYTE(v56) = 14;
      QString::~QString((QString *)&v28);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v29);
      QString::QString((QString *)&v26, "Chronosphere Activated");
      LOBYTE(v56) = 16;
      QString::QString((QString *)&v25, "warning");
      LOBYTE(v56) = 17;
      v13 = 0;
      v12 = v8;
      v27 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v25, &v26);
      LOBYTE(v56) = 16;
      QString::~QString((QString *)&v25);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v26);
      QString::QString((QString *)&v23, "Lightning Storm Created");
      LOBYTE(v56) = 18;
      QString::QString((QString *)&v22, "warning");
      LOBYTE(v56) = 19;
      v13 = 0;
      v12 = v9;
      v24 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v22, &v23);
      LOBYTE(v56) = 18;
      QString::~QString((QString *)&v22);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v23);
      QString::QString((QString *)&v20, "Genetic Mutator Activated");
      LOBYTE(v56) = 20;
      QString::QString((QString *)&v19, "warning");
      LOBYTE(v56) = 21;
      v13 = 0;
      v12 = v10;
      v21 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v19, &v20);
      LOBYTE(v56) = 20;
      QString::~QString((QString *)&v19);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v20);
      QString::QString((QString *)&v17, "Psychic Dominator Activated");
      LOBYTE(v56) = 22;
      QString::QString((QString *)&v16, "warning");
      LOBYTE(v56) = 23;
      v13 = 0;
      v12 = v11;
      v18 = &v12;
      unknown_libname_1(1024);
      QMessageBox::warning(v14, &v16, &v17);
      LOBYTE(v56) = 22;
      QString::~QString((QString *)&v16);
      LOBYTE(v56) = 3;
      QString::~QString((QString *)&v17);
   }
   v15 = 0;
   LOBYTE(v56) = 2;
   QByteArray::~QByteArray((QByteArray *)&v52);
   LOBYTE(v56) = 1;
   QString::~QString((QString *)&v53);
   LOBYTE(v56) = 0;
   QByteArray::~QByteArray((QByteArray *)&v50);
   v56 = -1;
   QString::~QString((QString *)&v54);
   result = v15;
}
else
{
   QString::QString((QString *)&v42, "You can Only input numer.");
   LOBYTE(v56) = 6;
   QString::QString((QString *)&v41, "warning");
   LOBYTE(v56) = 7;
   v13 = 0;
   v12 = v3;
   v43 = &v12;
   unknown_libname_1(1024);
   QMessageBox::warning(v14, &v41, &v42);
   LOBYTE(v56) = 6;
   QString::~QString((QString *)&v41);
   LOBYTE(v56) = 3;
   QString::~QString((QString *)&v42);
   v40 = 0;
   LOBYTE(v56) = 2;
   QByteArray::~QByteArray((QByteArray *)&v52);
   LOBYTE(v56) = 1;
   QString::~QString((QString *)&v53);
   LOBYTE(v56) = 0;
   QByteArray::~QByteArray((QByteArray *)&v50);
   v56 = -1;
   QString::~QString((QString *)&v54);
   result = v40;
}
  }
  else
  {
QString::QString((QString *)&v46, "You can Only input number.");
LOBYTE(v56) = 4;
QString::QString((QString *)&v45, "warning");
LOBYTE(v56) = 5;
v13 = 0;
v12 = v1;
v47 = &v12;
unknown_libname_1(1024);
QMessageBox::warning(v14, &v45, &v46);
LOBYTE(v56) = 4;
QString::~QString((QString *)&v45);
LOBYTE(v56) = 3;
QString::~QString((QString *)&v46);
v44 = 0;
LOBYTE(v56) = 2;
QByteArray::~QByteArray((QByteArray *)&v52);
LOBYTE(v56) = 1;
QString::~QString((QString *)&v53);
LOBYTE(v56) = 0;
QByteArray::~QByteArray((QByteArray *)&v50);
v56 = -1;
QString::~QString((QString *)&v54);
result = v44;
  }
  return result;
}

KaQqi · 发表于 2019-5-16 20:02

dfs算法。。

KaQqi · 发表于 2019-5-16 20:56

本帖最后由 KaQqi 于 2019-5-16 21:00 编辑

weikun444 发表于 2019-5-16 20:53
int __thiscall sub_401370(_DWORD *this)
{
int v1; // ecx

伪代码太难看了，你需要总结出算法

而且你f5的位置也不对。。
你f5的地方只是一个字符串转换的地方。。。

涛之雨 · 发表于 2019-5-16 21:21

weikun444 发表于 2019-5-16 20:53
int __thiscall sub_401370(_DWORD *this)
{
int v1; // ecx

ida。。。这也算keygen？

Syke · 发表于 2019-5-16 21:32

瑟瑟发抖不明觉厉。。。。

KaQqi · 发表于 2019-5-16 21:35

涛之雨发表于 2019-5-16 21:21
ida。。。这也算keygen？

不算，他f5的地方都不对，他f5的地方就是一个字符串比较和转换类型，仅此而已

rickw · 发表于 2019-5-16 21:37

weikun444 发表于 2019-5-16 20:53
int __thiscall sub_401370(_DWORD *this)
{
int v1; // ecx

ida f5？再加上一些分析和注释更好一些。

这个地方已经看到消息了。

苏紫方璇 · 发表于 2019-5-16 22:55

梦游枪手发表于 2019-5-16 22:48
有两个bug说下第一个

这里使用了注册码的前两位来计算真正的注册码，这样子下面的判断不可能为成功，楼 ...

膜拜大神，我也觉得他写的有点问题，但是没看出来，看了你的知道哪有问题了

帐号		自动登录	找回密码
密码			注册[Register]

[KeyGenMe] 一个裸奔的递归算法的keygenme

本帖子中包含更多资源

免费评分

本帖被以下淘专辑推荐:

本帖子中包含更多资源

点评

免费评分

个人中心