C++无壳CrackMe or KeyGenMe
本帖最后由 一只小凡凡 于 2024-2-5 13:27 编辑https://xiaofans.lanzouq.com/ijUpU1ncs9mb
补充:
难度中等偏下,无壳、有反调试、激活码生成算法
你需要逆向算法尝试复原算法的C++或其他语言代码
本帖最后由 solly 于 2024-3-4 13:49 编辑
那个 mod 计算有点小坑,编译器优化后不明显了:
#include <iostream>
#include <time.h>
//#include <ctime>
//#include <chrono>
size_t calculateOffset();
char mappingTable[] = "!)+LA0K>\"}*|Z=$G\\?#VBM6:4X9P,'254LCJ";
int getFlag(size_t offset, char * flag);
int main(int argc, char** argv) {
char flag;
size_t offset = calculateOffset();
///// get current flag with minutes of hour
printf("Minutes of hour = %d\n", offset);
getFlag(offset, flag);
printf("Current flag = %s\n\n", flag);
///// get all flags
printf("All flags:\n");
for(int i=0; i<60; i++) {
getFlag(i, flag);
printf("Minute = %02d, flag = %s\n", i, flag);
}
return 0;
}
size_t calculateOffset()
{
/*
/// c++ lib
auto now = std::chrono::system_clock::now();
auto nanoseconds = std::chrono::duration_cast<std::chrono::nanoseconds>(now.time_since_epoch());
auto minutes = std::chrono::duration_cast<std::chrono::minutes>(std::chrono::duration_cast<std::chrono::seconds>(nanoseconds));
//printf("time = 0x%I64X\n", minutes);
return (minutes.count() % 60);
*/
/// c lib
time_t rawtime;
struct tm *currTM;
time(&rawtime);
currTM = gmtime(&rawtime);
return currTM->tm_min;
}
#define LENGTH 8
int getFlag(size_t offset, char * flag) {
char idx_base[] = "52pojie\0";
for(int i=0; i<LENGTH; i++) {
int idx0 = (idx_base - 0x30 + offset);
//unsigned int idx1 = ((unsigned)idx0) % 36;
unsigned int idx1 = (idx0>=0) ? ((unsigned)idx0 % 36) : ((unsigned)(0x34+idx0) % 36);
//printf("idx%d = 0x%08X ==> 0x%08X\n", i, idx0, idx1);
flag = mappingTable;
}
flag = '\0';
return 0;
}
按分钟计算的码,0~59共60个码:
Minute = 00, flag = 0+,P6M?A
Minute = 01, flag = KL',:6#0
Minute = 02, flag = >A2'4:VK
Minute = 03, flag = "052X4B>
Minute = 04, flag = }K459XM"
Minute = 05, flag = *>L4P96}
Minute = 06, flag = |"CL,P:*
Minute = 07, flag = Z}JC',4|
Minute = 08, flag = =*!J2'XZ
Minute = 09, flag = $|)!529=
Minute = 10, flag = GZ+)45P$
Minute = 11, flag = \=L+L4,G
Minute = 12, flag = ?$ALCL'\
Minute = 13, flag = #G0AJC2?
Minute = 14, flag = V\K0!J5#
Minute = 15, flag = B?>K)!4V
Minute = 16, flag = M#">+)LB
Minute = 17, flag = 6V}"L+CM
Minute = 18, flag = :B*}ALJ6
Minute = 19, flag = 4M|*0A!:
Minute = 20, flag = X6Z|K0)4
Minute = 21, flag = 9:=Z>K+X
Minute = 22, flag = P4$=">L9
Minute = 23, flag = ,XG$}"AP
Minute = 24, flag = '9\G*}0,
Minute = 25, flag = 2P?\|*K'
Minute = 26, flag = 5,#?Z|>2
Minute = 27, flag = 4'V#=Z"5
Minute = 28, flag = L2BV$=}4
Minute = 29, flag = C5MBG$*L
Minute = 30, flag = J46M\G|C
Minute = 31, flag = !L:6?\ZJ
Minute = 32, flag = )C4:#?=!
Minute = 33, flag = +JX4V#$)
Minute = 34, flag = L!9XBVG+
Minute = 35, flag = A)P9MB\L
Minute = 36, flag = 0+,P6M?A
Minute = 37, flag = KL',:6#0
Minute = 38, flag = >A2'4:VK
Minute = 39, flag = "052X4B>
Minute = 40, flag = }K459XM"
Minute = 41, flag = *>L4P96}
Minute = 42, flag = |"CL,P:*
Minute = 43, flag = Z}JC',4|
Minute = 44, flag = =*!J2'XZ
Minute = 45, flag = $|)!529=
Minute = 46, flag = GZ+)45P$
Minute = 47, flag = \=L+L4,G
Minute = 48, flag = ?$ALCL'!
Minute = 49, flag = #G0AJC2)
Minute = 50, flag = V\K0!J5+
Minute = 51, flag = B?>K)!4L
Minute = 52, flag = M#">+)LA
Minute = 53, flag = 6V}"L+C0
Minute = 54, flag = :B*}ALJK
Minute = 55, flag = 4M|*0A!>
Minute = 56, flag = X6Z|K0)"
Minute = 57, flag = 9:=Z>K+}
Minute = 58, flag = P4$=">L*
Minute = 59, flag = ,XG$}"A| 更正一下mod,应该是 64 位无符号整数的 mod ,前面用的32位,所以需要加0x34修正,改成64位即可:
int getFlag(size_t offset, char * flag) {
char idx_base[] = "52pojie\0";
for(int i=0; i<LENGTH; i++) {
//int idx0 = (idx_base - 0x30 + offset);
//int idx1 = (idx0>=0) ? ((idx0) % 36) : ((idx0+0x34) % 36);
//printf("idx%d = 0x%08X ==> 0x%08X\n", i, idx0, idx1);
long long idx0 = (long long)((signed int)idx_base - 0x30) + offset;
unsigned long long idx1 = ((unsigned long long)idx0) % 36;
//printf("idx%d = 0x%I64X ==> 0x%I64X\n", i, idx0, idx1);
flag = mappingTable;
}
flag = '\0';
return 0;
} x64呃呃那还是算了 bool __cdecl is52pojie(const std::string *input)
{
char *v1; // rax
bool v2; // bl
std::string currentString; // BYREF
char ch_0; //
const char *__for_end; //
const char (*__for_range); //
size_t offset; //
const char *__for_begin; //
offset = calculateOffset();
std::string::basic_string(¤tString);
__for_range = (const char (*))"52pojie";
__for_begin = "52pojie";
__for_end = "title CrackMe 52pojie";
while ( __for_begin != __for_end )
{
ch_0 = *__for_begin;
v1 = (char *)std::string::operator[](&mappingTable[(ch_0 - 48 + offset) % 0x24], 0i64);
std::string::operator+=(¤tString, (unsigned int)*v1);
++__for_begin;
}
v2 = std::operator==<char>(input, ¤tString);
std::string::~string(¤tString);
return v2;
} 看了半天有个mappingTable变量看不懂 有符号,难度为0 用这个c32asm v0.8.8 进行操作,就退出 这是用mingw写的吧 COFF符号表都在里面{:1_907:} Jar36 发表于 2024-2-10 09:53
这是用mingw写的吧 COFF符号表都在里面
以后写crackme记得strip 适合我这样的新手
页:
[1]
2