找自信
带一组key的CM
本帖最后由 jixun66 于 2020-1-27 12:35 编辑
```text
16,12,5,-78,6,1,4,0
```
标题的自定义文字不会搞了… 参数拿表算的
跟了一下提供的 key,好像第二位和最后三位得是 -4140? 更新后的 key:
```
2,-4,5,-4,8,1,4,0
```
```js
ar6 = 1
ar7 = 4
ar8 = 0
cal_1 = 6, cal_2 = 16, ar1 = 2;
ar3 = 5
ar2 = -4
// ar2 = -(cal_2 - ar5 * ar1 - ar4);
// ar3 * ar1 + ar4 = cal_1
// ar5 * ar1 + ar4 = cal_2 - 4
// -----------------------------
//(ar3 - ar5)*ar1 = cal_1 - cal_2 + 4
ar5 = ar3 - ((cal_1 - cal_2 + 4) / ar1)
ar4 = cal_1 - ar3 * ar1;
console.info(.join(',')); // 不能有小数,前 5 位不能有 0。
cal_1 = Math.floor(ar3 * ar1 + ar4); // 1 * 123 + 4 = 127
cal_2 = Math.floor(ar5 * ar1 + ar4 - ar2); // 4 * 123 + 4 - (-4) = 500
cal_3 = ar1 * cal_1 * cal_2 * ar3 * ar4 * ar5 * ar2;
// cal_3 不为 0 即可,也就是说任意一个数值不为 0 即可。
cal_4 = Math.floor(ar1 * cal_1 + 4.0); // 127 * 123 + 4 = square(125)
cal_5 = Math.floor(ar1 * cal_2 + 4.0); // 500 * 123 + 4 = square(248)
cal_6 = Math.floor(cal_1 * cal_2 + 4.0); // 127 * 500 + 4 = square(252)
// 验证: cal_4/5/6 得是平方数
```
```c
if ( arrayLen == 8 )
{
cal_1 = FloatToInt((double)ar3 * (double)ar1 + (double)ar4);
cal_2 = FloatToInt((double)ar5 * (double)ar1 + (double)ar4 - (double)ar2);
cal_3 = (double)ar1 * (double)cal_1 * (double)cal_2 * (double)ar3 * (double)ar4 * (double)ar5 * (double)ar2;
cal3_abs = cal_3;
if ( cal_3 < 0.0 )
cal3_abs = -cal_3;
if ( cal3_abs > 0.0000001 ) // cal3 != 0
{
cal_4 = FloatToInt((double)ar1 * (double)cal_1 + 4.0);
if ( isSquareOfNumber(cal_4) )
{
cal_5 = FloatToInt((double)ar1 * (double)cal_2 + 4.0);
if ( isSquareOfNumber(cal_5) )
{
cal_6 = FloatToInt((double)cal_1 * (double)cal_2 + 4.0);
if ( isSquareOfNumber(cal_6) )
{
checkSize();
if ( v15 <= 5 )
access_exception((LPCSTR)1);
ar1_4a;
ar6 = exec_ebx(1);
checkSize();
if ( v16 <= 6 )
access_exception((LPCSTR)1);
ar1_4a;
LODWORD(ar7__) = exec_ebx(1);
ar7 = ar7__;
checkSize();
if ( v18 <= 7 )
access_exception((LPCSTR)1);
ar1_4a;
LODWORD(ar8__) = exec_ebx(1);
ar8 = ar8__;
exec_ebx(0); // 取现行时间
sec = exec_ebx(1); // 取秒
cal_7 = ((double)sec - 1.0) * ((double)sec - 1.0)
+ (double)ar6 * (double)sec * 4.0
- ((double)sec + (double)ar6) * ((double)sec + (double)ar6);
if ( cal_7 < 0.0 )
cal_7 = -cal_7;
if ( cal_7 <= 0.0000001 ) //== 0
{
exec_ebx(0);
exec_ebx(1); // 时间取秒???
LODWORD(sec2) = exec_ebx(1);
cal_8 = (double)ar6 * 4.0 / (sec2 * sec2);
timeCalc2 = (ar8 - sec2 * cal_8) / (ar7 - cal_8)
- (-1.0 / sec2 * ((double)ar6 * 4.0 / (-1.0 / sec2 * (-1.0 / sec2))) - sec2 * cal_8)
/ ((double)ar6 * 4.0 / (-1.0 / sec2 * (-1.0 / sec2)) - cal_8);
if ( timeCalc2 < 0.0 )
timeCalc2 = -timeCalc2;
if ( timeCalc2 <= 0.0000001 )
{
checkSize();
if ( v25 <= 1 )
access_exception((LPCSTR)1);
checkSize();
if ( v26 <= 5 )
access_exception((LPCSTR)1);
checkSize();
if ( v27 <= 6 )
access_exception((LPCSTR)1);
checkSize();
if ( v28 <= 7 )
access_exception((LPCSTR)1);
v29 = ar1_4a;
v30 = ar1_4a;
v31 = ar1_4a;
v62 = (void *)sub_40106F(ar1_4a);
v40 = (void *)exec_ebx(6);
if ( v62 )
free(v62);
v61 = v40;
lpMem_4a = (void *)exec_ebx(1);
lpMema = (void *)sub_40202F(3, (unsigned int)&unk_4828B6);
if ( lpMem_4a )
free(lpMem_4a);
v45 = (void *)exec_ebx(1);
if ( lpMema )
free(lpMema);
v43 = (unsigned __int8 *)sub_40106F((unsigned int)"Cardinal - ");
if ( v45 )
free(v45);
sub_402029((HWND)0x52010001, 100728832, 8, -1, v43, 0);
if ( v43 )
free(v43);
}
}
}
}
}
}
}
```
(越看越觉得这代码像是在胡搅蛮缠) 图不错,收了。新年快乐! 新年快乐! 本帖最后由 huzpsb 于 2020-1-24 19:39 编辑
九楼见.
8个关键跳,楼主你feng了?我连改字符串的心都有了 @小菜鸟一枚 不,是我没自信了~
还有,更正一下,是7个,刚才我瞎了 huzpsb 发表于 2020-1-24 12:18
@小菜鸟一枚 不,是我没自信了~
还有,更正一下,是7个,刚才我瞎了
你还找到了字符串,我搜字符串都不出来,都不知道从何下手了!{:1_937:} 小菜鸟一枚 发表于 2020-1-24 12:19
你还找到了字符串,我搜字符串都不出来,都不知道从何下手了!
也许会让你有一点思路QwQ dingding~ zbnysjwsnd8 发表于 2020-1-24 12:36
dingding~
不玩了,爆破(爆破点如图所示,然后00401E37断下来,改内存)一下,改写一下字符串走人
哼唧~ huzpsb 发表于 2020-1-24 12:35
也许会让你有一点思路QwQ
看来是我的知识面太窄了,看不懂这是什么文件,官方入门视频教程第七课也是易语言,不懂编程完全看不懂:'(weeqw
顺着你的截图我搜到这里,然后改跳转程序就挂了!
004013A0|.83BD 78FFFFFF>cmp ,0x8
004013A7|.0F84 05000000 je CrackMe.004013B2
004013AD E9 E10A0000 jmp CrackMe.00401E93