【版本】 13.0.1 64 b i t \textcolor{green}{【版本】13.0.1\ 64bit} 【版本】13.0.1 64bit
注册的提示信息还有界面的提示信息很丰富,这为我们定位关键代码提供了充分的线索。将01Editor拖入IDA分析,直接字符串搜索“Thank you for purchasing 010 Editor!”就来到了关键位置( R V A = 0 x 210520 \textcolor{orange}{RVA = 0x210520} RVA=0x210520)。
进入序列号和用户名加密运算验证(*重点部分,后面再说。这里用 C h e c k 1 \textcolor{cornflowerblue}{Check1} Check1代替),会返回一个结果,这里用rs1代替。
进入第二处验证,用 C h e c k 2 \textcolor{cornflowerblue}{Check2} Check2代替,返回结果用rs2代替。
网络验证。发现最新版没有走网络验证。。。。因为有处条件永不满足
先判断用户名和序列号的长度均不为0才能往下验证,否则直接返回0x93。
再次检查序列号格式,并按照自定义方法将序列号转成16进制的字节数组
序列号的长度分为两种0x13和0x18。
转换结果用hb代称,hb中的每一个元素都是 serial 中除 ‘-’ 元素外的两两元素组合而成。 C h a r _ T r a n s F o r m \textcolor{cornflowerblue}{Char\_TransForm} Char_TransForm实现:
__int64 __fastcall Jmp_CharTransForm(__int64 a1, char a2)
{
if ( (unsigned __int8)(a2 - 0x30) <= 9u )
return (unsigned int)(a2 - 0x30);
if ( ((a2 - 'O') & 0xDF) == 0 ) // 只有a2 == 'O' 才满足,但是前面预处理的时候将'O'换成了0,
// 因此这里永不满足。
return 0i64;
if ( a2 == 'l' )
return 1i64;
if ( (unsigned __int8)(a2 - 'a') <= 0x19u )
return a2 - (unsigned int)'W';
if ( (unsigned __int8)(a2 - 'A') <= 0x19u )
return a2 - (unsigned int)'7';
else
return 0i64;
}
注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个‘ l ’或者‘ 1 ’,输出都是 1 ,反函数输入一个 1 ,输出可以任选‘ l ’和‘ 1 ’其一。 \textcolor{BrickRed}{注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个‘l’或者‘1’,输出都是1,反函数输入一个1,输出可以任选‘l’和‘1’其一。} 注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个‘l’或者‘1’,输出都是1,反函数输入一个1,输出可以任选‘l’和‘1’其一。
要对其进行求逆 R e C h a r T o B y t e \textcolor{cornflowerblue}{ReCharToByte} ReCharToByte,可以写成如下形式:
char ReCharToByte(unsigned char chr) { if (chr > 1 && chr <= 9) return chr + 0x30; if (chr == 0) { // 原输入有3种情况,这里随机选一种 switch (rand() % 3) { case 0:return chr + 0x30; case 1:return 'O'; case 2:return 'o'; } } if (chr == 1) { switch (rand() % 2) { case 0:return chr + 0x30; case 1:return 'l'; } } // 其余情况就是原本的输入是字母a-z/A-Z if (chr + '7' <= 'Z') return chr + '7'; return chr + 'W'; }
实际这个位置的校验没多大用处。 \textcolor{green}{实际这个位置的校验没多大用处。} 实际这个位置的校验没多大用处。
根据 h b [ 3 ] \textcolor{orange}{hb[3]} hb[3]的取值,分三种处理情况:
switch ( BYTE3(HexBytes) ) // HexBytes[3]
{
case 0x9C:
v19 = (unsigned __int8)(BYTE5(HexBytes) ^ BYTE2(HexBytes))// HexBytes[5] ^ HexBytes[2]
+ ((unsigned __int8)(HIBYTE(HexBytes) ^ BYTE1(HexBytes)) << 8);// (HexBytes[1] ^ HexBytes[7]) << 8
ri->X1 = (unsigned __int8)Xor_1((unsigned __int8)(BYTE6(HexBytes) ^ (unsigned __int8)HexBytes));// ((a1 ^ 0x18) + 0x3D) ^ 0xA7
v20 = (unsigned __int16)Calc_1(v19);
ri->X2 = (unsigned __int16)v20;
X1 = ri->X1;
if ( X1 && (unsigned int)(v20 - 1) <= 0x3E7 )
{
v22 = 0;
if ( X1 < 2 )
v22 = ri->X1;
End:
QString::toUtf8(&ri->UserName, v36); // UserName
LOBYTE(v4) = v18 != (char)0xFC;
v24 = QByteArray::data((QByteArray *)v36);
v25 = Calc_2((__int64)v24, v4, v22, (unsigned int)ri->X2);
if ( BYTE4(HexBytes) == (_BYTE)v25
&& (_BYTE)v14 == BYTE1(v25)
&& BYTE6(HexBytes) == BYTE2(v25)
&& HIBYTE(HexBytes) == HIBYTE(v25) )
{
if ( v18 == (char)0x9C )
{
if ( v34 > ri->X1 )
{
v26 = 0x4E;
LABEL_41:
QByteArray::~QByteArray((QByteArray *)v36);
return v26;
}
LABEL_33:
v26 = 0x2D;
goto LABEL_41;
}
if ( v18 == (char)0xFC )
{
v27 = Calc_3((unsigned __int8)HexBytes + (BYTE1(HexBytes) << 8) + (BYTE2(HexBytes) << 0x10), v25);
if ( v27 )
{
ri->X0 = v27;
v26 = 0x93;
goto LABEL_41;
}
}
else if ( v29 )
{
if ( v35 > v29 )
{
v26 = 0x4E;
goto LABEL_41;
}
goto LABEL_33;
}
}
v26 = 0xE7;
goto LABEL_41;
}
break;
case 0xFC:
v22 = 0xFF;
ri->X1 = 0xFF;
ri->X2 = 1;
ri->field_40 = 1;
goto End;
case 0xAC:
ri->X1 = 2;
v23 = Calc_1((unsigned __int16)((unsigned __int8)(v14 ^ v15) + ((unsigned __int8)(HIBYTE(HexBytes) ^ v16) << 8)));
ri->X2 = v23;
if ( (unsigned int)v23 - 1 <= 0x3E7 )
{
v29 = Calc_3(
(BYTE6(HexBytes) ^ v17)
+ ((v14 ^ HexBytes_Off_9) << 0x10)
+ ((HexBytes_Off_8 ^ (unsigned int)BYTE4(HexBytes)) << 8),
0x5B8C27i64);
ri->field_44 = v29;
v22 = v29;
goto End;
}
break;
}
return 0xE7i64;
}
return 0x93i64;
}
由于编译器优化,这部分代码可读性比较差,手动分析整理之后得到伪代码:
/*
Check1后部分的逻辑
*/
if(len(UserName)==0 || len(Serial) == 0)
return 0x93;
v29 = 0;
// case 0x9C:
v19 = (hb[5] ^ hb[2]) + ((hb[1] ^ hb[7])<<8);
v21 = Xor_1(hb[6] ^ hb[0]); // v21
v20 = Calc_1(v19); //
if(v21 && (v20-1) <= 999)
{
v22 = 0;
if(v21 < 2)
v22 = v21;
v25 = Calc_2(UserName, True, v22, v20); // v25 是4字节长度
if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
{
if(0xE > v21)
return 0x4E;
return 0x2D;
}
}
return 0xE7;
//case 0xFC:
v25 = Calc_2(UserName, False, 0xFF, 1); // v25 是4字节长度
if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
{
v27 = Calc_3(hb[0] + (hb[1] << 8) + (hb[2] << 0x10), v25);
if(v27)
{
*(_DWORD *)(a1 + 0x28) = v27;
return 0x93;
}
}
return 0xE7;
//case 0xAC:
v23 = Calc_1((hb[5] ^ hb[2]) + ((hb[7] ^ hb[1]) << 8));
if ( (unsigned int)v23 - 1 <= 0x3E7 )
{
v29 = Calc_3(
(hb[6] ^ hb[0]) + ((hb[5] ^ v41) << 0x10) + ((v40 ^ hb[4]) << 8),
0x5B8C27);
v25 = Calc_2(UserName, False, v29, v23); // v25 是4字节长度
if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
{
if(v29)
{
if(0x4B2>v29)
return 0x4E;
}
}
}
return 0xE7;
其中有几个函数需要关注:
X o r _ 1 \textcolor{cornflowerblue}{Xor\_1} Xor_1
char __fastcall sub_36D330(char a1)
{
return ((a1 ^ 0x18) + 0x3D) ^ 0xA7;
}
这个函数可逆,单射。逆函数 R e X o r _ 1 \textcolor{cornflowerblue}{ReXor\_1} ReXor_1
return ((a1 ^ 0xA7) - 0x3D) ^ 0x18;
C a l c _ 1 \textcolor{cornflowerblue}{Calc\_1} Calc_1
__int64 __fastcall sub_36D2A0(__int16 a1)
{
unsigned int v1; // r8d
v1 = (unsigned __int16)((a1 ^ 0x7892) + 0x4D30) ^ 0x3421;
if ( v1 % 0xB )
return 0i64;
else
return (unsigned __int16)(v1 / 0xB);
}
此函数条件为真的分支存在多对1情况,导致逆函数不能保证得到正确的原函数输入,而原函数的输入在后面验证的时候还需要用到。因此,这个函数的逆函数没有意义。
C a l c _ 2 \textcolor{cornflowerblue}{Calc\_2} Calc_2
__int64 __fastcall sub_36D380(BYTE *UserName, int a2, char a3, __int64 a4)
{
...
v5 = 0;
if ( len_username > 0 )
{
i = 0i64;
v9 = 0;
v10 = 0xF * a4;
v11 = 0;
v12 = 0x11 * a3;
do
{
v13 = toupper(UserName[i]);
v14 = &g_Box[v12];
v15 = v5 + g_Box[v13];
v16 = &g_Box[v10];
if ( a2 )
{
v17 = g_Box[(unsigned __int8)(v13 + 0xD)];
v18 = (unsigned __int8)(v13 + 0x2F);
v19 = v9;
}
else
{
v17 = g_Box[(unsigned __int8)(v13 + 0x3F)];
v18 = (unsigned __int8)(v13 + 0x17);
v19 = v11;
}
v12 += 9;
v10 += 13;
v9 += 19;
v11 += 7;
++i;
v5 = *v16 + *v14 + g_Box[v19] + g_Box[v18] * (v15 ^ v17);
}
while ( i < len_username );
}
return v5;
}
此函数是将UserName编码,记为ans,用来和序列号某个部分进行对比的,所以该函数也不用求逆。
这部分校验只要返回0xDB,就表示注册成功了,这就要求Check1返回0x2D,所以重点还是在Check1。
以上就是所有注册算法流程,接下来考虑如何获得正确的任意用户名的序列号。
我们期望Check1返回0x2D。通过分析,得知只有一条路径可以返回,即 h b [ 3 ] = = 0 x 9 C \textcolor{orange}{hb[3]\ ==\ 0x9C} hb[3] == 0x9C时,满足:
v19 = (hb[5] ^ hb[2]) + ((hb[1] ^ hb[7])<<8);
v20 = Calc_1(v19);
v20 - 1 < 999;
v25 = Calc_2(user, true, 0, v20);
char* a1 = reinterpret_cast(&v25);
hb[4] == a1[0] && hb[5] == a1[1] && hb[6] == a1[2] && hb[7] == a1[3]
Xor_1(hb[6] ^ hb[0]) > 0xE
从条件约束中发现,其实serial长度应该是20。我们可以先枚举hb下标为1,2,5,7对应的元素,这样枚举空间就在 25 6 4 = 4294967296 \textcolor{orange}{256^4\ =\ 4294967296} 2564 = 4294967296内,还能接受。在满足条件3、6和7,就能确定hb中的所有元素,然后反求得serial。
综合以上条件得到注册机的代码:
unsigned char g_Data[24] = { 0x43,0x4f,0x57,0xd6,0x30,0xe3,0xca,0xb9,0xac,0xab,0xa1,0xc4,0x4a,0x55,0x59,0x2a,0x35,0xe2,0xc4,0x65,0xac,0xd3,0xa4,0xcb };
unsigned int g_Box[308] = { 0x39cb44b8,0x23754f67,0x5f017211,0x3ebb24da,0x351707c6,0x63f9774b,0x17827288,0xfe74821,0x5b5f670f,0x48315ae8,0x785b7769,0x2b7a1547,0x38d11292,0x42a11b32,0x35332244,0x77437b60,0x1eab3b10,0x53810000,0x1d0212ae,0x6f0377a8,0x43c03092,0x2d3c0a8e,0x62950cbf,0x30f06ffa,0x34f710e0,0x28f417fb,0x350d2f95,0x5a361d5a,0x15cc060b,0xafd13cc,0x28603bcf,0x3371066b,0x30cd14e4,0x175d3a67,0x6dd66a13,0x2d3409f9,0x581e7b82,0x76526b99,0x5c8d5188,0x2c857971,0x15f51fc0,0x68cc0d11,0x49f55e5c,0x275e4364,0x2d1e0dbc,0x4cee7ce3,0x32555840,0x112e2e08,0x6978065a,0x72921406,0x314578e7,0x175621b7,0x40771dbf,0x3fc238d6,0x4a31128a,0x2dad036e,0x41a069d6,0x25400192,0xdd4667,0x6afc1f4f,0x571040ce,0x62fe66df,0x41db4b3e,0x3582231f,0x55f6079a,0x1ca70644,0x1b1643d2,0x3f7228c9,0x5f141070,0x3e1474ab,0x444b256e,0x537050d9,0xf42094b,0x2fd820e6,0x778b2e5e,0x71176d02,0x7fea7a69,0x5bb54628,0x19ba6c71,0x39763a99,0x178d54cd,0x1246e88,0x3313537e,0x2b8e2d17,0x2a3d10be,0x59d10582,0x37a163db,0x30d6489a,0x6a215c46,0xe1c7a76,0x1fc760e7,0x79b80c65,0x27f459b4,0x799a7326,0x50ba1782,0x2a116d5c,0x63866e1b,0x3f920e3c,0x55023490,0x55b56089,0x2c391fd1,0x2f8035c2,0x64fd2b7a,0x4ce8759a,0x518504f0,0x799501a8,0x3f5b2cad,0x38e60160,0x637641d8,0x33352a42,0x51a22c19,0x85c5851,0x32917ab,0x2b770ac7,0x30ac77b3,0x2bec1907,0x35202d0,0xfa933d3,0x61255df3,0x22ad06bf,0x58b86971,0x5fca0de5,0x700d6456,0x56a973db,0x5ab759fd,0x330e0be2,0x5b3c0ddd,0x495d3c60,0x53bd59a6,0x4c5e6d91,0x49d9318d,0x103d5079,0x61ce42e3,0x7ed5121d,0x14e160ed,0x212d4ef2,0x270133f0,0x62435a96,0x1fa75e8b,0x6f092fbe,0x4a000d49,0x57ae1c70,0x4e2477,0x561e7e72,0x468c0033,0x5dcc2402,0x78507ac6,0x58af24c7,0xdf62d34,0x358a4708,0x3cfb1e11,0x2b71451c,0x77a75295,0x56890721,0xfef75f3,0x120f24f1,0x1990ae7,0x339c4452,0x27a15b8e,0xba7276d,0x60dc1b7b,0x4f4b7f82,0x67db7007,0x4f4a57d9,0x621252e8,0x20532cfc,0x6a390306,0x18800423,0x19f3778a,0x462316f0,0x56ae0937,0x43c2675c,0x65ca45fd,0xd604ff2,0xbfd22cb,0x3afe643b,0x3bf67fa6,0x44623579,0x184031f8,0x32174f97,0x4c6a092a,0x5fb50261,0x1650174,0x33634af1,0x712d18f4,0x6e997169,0x5dab7afe,0x7c2b2ee8,0x6edb75b4,0x5f836fb6,0x3c2a6dd6,0x292d05c2,0x52244db,0x149a5f4f,0x5d486540,0x331d15ea,0x4f456920,0x483a699f,0x3b450f05,0x3b207c6c,0x749d70fe,0x417461f6,0x62b031f1,0x2750577b,0x29131533,0x588c3808,0x1aef3456,0xf3c00ec,0x7da74742,0x4b797a6c,0x5ebb3287,0x786558b8,0xed4ff2,0x6269691e,0x24a2255f,0x62c11f7e,0x2f8a7dcd,0x643b17fe,0x778318b8,0x253b60fe,0x34bb63a3,0x5b03214f,0x5f1571f4,0x1a316e9f,0x7acf2704,0x28896838,0x18614677,0x1bf569eb,0xba85ec9,0x6aca6b46,0x1e43422a,0x514d5f0e,0x413e018c,0x307626e9,0x1ed1dfa,0x49f46f5a,0x461b642b,0x7d7007f2,0x13652657,0x6b160bc5,0x65e04849,0x1f526e1c,0x5a0251b6,0x2bd73f69,0x2dbf7acd,0x51e63e80,0x5cf2670f,0x21cd0a03,0x5cff0261,0x33ae061e,0x3bb6345f,0x5d814a75,0x257b5df4,0xa5c2c5b,0x16a45527,0x16f23945,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0 };
void ReStrsToHexBytes(unsigned char* hb, char* serial);
void BruteForce(char* user);
int main()
{
char user[] = "";
BruteForce(user);
return 0;
}
void BruteForce(char* user)
{
char serial[0x19] = { 0 };
unsigned char hb[8] = { 0 };
bool bGo = true;
hb[3] = 0x9C;
// 根据hb爆破serial,先找出符合条件的1,2,5,7下标对应的元素
for(unsigned char i1 = 0;i1<0xFF && bGo;i1++)
for (unsigned char i2 = 0; i2 < 0xFF && bGo; i2++)
for (unsigned char i5 = 0; i5 < 0xFF && bGo; i5++)
for (unsigned char i7 = 0; i7 < 0xFF && bGo; i7++)
{
unsigned short v19 = (i5 ^ i2) + ((i1 ^ i7) << 8);
unsigned int v20 = Calc_1(v19);
if((v20-1)>=999)
continue;
unsigned int v25 = Calc_2(user, true, 0, v20);
char* a1 = reinterpret_cast(&v25);
if (i5 == a1[1] && i7 == a1[3])
{
hb[1] = i1;
hb[2] = i2;
hb[4] = a1[0];
hb[5] = i5;
hb[6] = a1[2];
hb[7] = i7;
hb[0] = ReXor_1(0xF)^hb[6];
bGo = false;
break;
}
}
ReStrsToHexBytes(hb, serial);
printf("UserName: %s\nSerial: %s\n",user,serial);
}
void ReStrsToHexBytes(unsigned char* hb, char* serial)
{
serial[0] = ReCharToByte(hb[0] >> 4);
serial[1] = ReCharToByte(hb[0] & 0xF);
serial[2] = ReCharToByte(hb[1] >> 4);
serial[3] = ReCharToByte(hb[1] & 0xF);
serial[4] = '-';
serial[5] = ReCharToByte(hb[2] >> 4);
serial[6] = ReCharToByte(hb[2] & 0xF);
serial[7] = ReCharToByte(hb[3] >> 4);
serial[8] = ReCharToByte(hb[3] & 0xF);
serial[9] = '-';
serial[0xA] = ReCharToByte(hb[4] >> 4);
serial[0xB] = ReCharToByte(hb[4] & 0xF);
serial[0xC] = ReCharToByte(hb[5] >> 4);
serial[0xD] = ReCharToByte(hb[5] & 0xF);
serial[0xE] = '-';
serial[0xF] = ReCharToByte(hb[6] >> 4);
serial[0x10] = ReCharToByte(hb[6] & 0xF);
serial[0x11] = ReCharToByte(hb[7] >> 4);
serial[0x12] = ReCharToByte(hb[7] & 0xF);
}
由于没有网络验证,所以同一个用户名和序列号可无限使用。这里给出一组可用的用户名和序列号:
Username:Brucy
Serial:218o-1A9C-EA2E-5227