本帖最后由 jixun66 于 2020-1-27 12:35 编辑
16,12,5,-78,6,1,4,0
标题的自定义文字不会搞了… 参数拿表算的
跟了一下提供的 key,好像第二位和最后三位得是 -4140? 更新后的 key:
2,-4,5,-4,8,1,4,0
ar6 = 1
ar7 = 4
ar8 = 0
cal_1 = 6, cal_2 = 16, ar1 = 2;
ar3 = 5
ar2 = -4
// ar2 = -(cal_2 - ar5 * ar1 - ar4);
// ar3 * ar1 + ar4 = cal_1
// ar5 * ar1 + ar4 = cal_2 - 4
// -----------------------------
// (ar3 - ar5)*ar1 = cal_1 - cal_2 + 4
ar5 = ar3 - ((cal_1 - cal_2 + 4) / ar1)
ar4 = cal_1 - ar3 * ar1;
console.info([ar1, ar2, ar3, ar4, ar5, ar6, ar7, ar8].join(',')); // 不能有小数,前 5 位不能有 0。
cal_1 = Math.floor(ar3 * ar1 + ar4); // 1 * 123 + 4 = 127
cal_2 = Math.floor(ar5 * ar1 + ar4 - ar2); // 4 * 123 + 4 - (-4) = 500
cal_3 = ar1 * cal_1 * cal_2 * ar3 * ar4 * ar5 * ar2;
// cal_3 不为 0 即可,也就是说任意一个数值不为 0 即可。
cal_4 = Math.floor(ar1 * cal_1 + 4.0); // 127 * 123 + 4 = square(125)
cal_5 = Math.floor(ar1 * cal_2 + 4.0); // 500 * 123 + 4 = square(248)
cal_6 = Math.floor(cal_1 * cal_2 + 4.0); // 127 * 500 + 4 = square(252)
[cal_1,cal_2,cal_3,cal_4,cal_5,cal_6]
// 验证: cal_4/5/6 得是平方数
if ( arrayLen == 8 )
{
cal_1 = FloatToInt((double)ar3 * (double)ar1 + (double)ar4);
cal_2 = FloatToInt((double)ar5 * (double)ar1 + (double)ar4 - (double)ar2);
cal_3 = (double)ar1 * (double)cal_1 * (double)cal_2 * (double)ar3 * (double)ar4 * (double)ar5 * (double)ar2;
cal3_abs = cal_3;
if ( cal_3 < 0.0 )
cal3_abs = -cal_3;
if ( cal3_abs > 0.0000001 ) // cal3 != 0
{
cal_4 = FloatToInt((double)ar1 * (double)cal_1 + 4.0);
if ( isSquareOfNumber(cal_4) )
{
cal_5 = FloatToInt((double)ar1 * (double)cal_2 + 4.0);
if ( isSquareOfNumber(cal_5) )
{
cal_6 = FloatToInt((double)cal_1 * (double)cal_2 + 4.0);
if ( isSquareOfNumber(cal_6) )
{
checkSize();
if ( v15 <= 5 )
access_exception((LPCSTR)1);
ar1_4a[5];
ar6 = exec_ebx(1);
checkSize();
if ( v16 <= 6 )
access_exception((LPCSTR)1);
ar1_4a[6];
LODWORD(ar7__) = exec_ebx(1);
ar7 = ar7__;
checkSize();
if ( v18 <= 7 )
access_exception((LPCSTR)1);
ar1_4a[7];
LODWORD(ar8__) = exec_ebx(1);
ar8 = ar8__;
exec_ebx(0); // 取现行时间
sec = exec_ebx(1); // 取秒
cal_7 = ((double)sec - 1.0) * ((double)sec - 1.0)
+ (double)ar6 * (double)sec * 4.0
- ((double)sec + (double)ar6) * ((double)sec + (double)ar6);
if ( cal_7 < 0.0 )
cal_7 = -cal_7;
if ( cal_7 <= 0.0000001 ) // == 0
{
exec_ebx(0);
exec_ebx(1); // 时间取秒???
LODWORD(sec2) = exec_ebx(1);
cal_8 = (double)ar6 * 4.0 / (sec2 * sec2);
timeCalc2 = (ar8 - sec2 * cal_8) / (ar7 - cal_8)
- (-1.0 / sec2 * ((double)ar6 * 4.0 / (-1.0 / sec2 * (-1.0 / sec2))) - sec2 * cal_8)
/ ((double)ar6 * 4.0 / (-1.0 / sec2 * (-1.0 / sec2)) - cal_8);
if ( timeCalc2 < 0.0 )
timeCalc2 = -timeCalc2;
if ( timeCalc2 <= 0.0000001 )
{
checkSize();
if ( v25 <= 1 )
access_exception((LPCSTR)1);
checkSize();
if ( v26 <= 5 )
access_exception((LPCSTR)1);
checkSize();
if ( v27 <= 6 )
access_exception((LPCSTR)1);
checkSize();
if ( v28 <= 7 )
access_exception((LPCSTR)1);
v29 = ar1_4a[7];
v30 = ar1_4a[6];
v31 = ar1_4a[5];
v62 = (void *)sub_40106F(ar1_4a[1]);
v40 = (void *)exec_ebx(6);
if ( v62 )
free(v62);
v61 = v40;
lpMem_4a = (void *)exec_ebx(1);
lpMema = (void *)sub_40202F(3, (unsigned int)&unk_4828B6);
if ( lpMem_4a )
free(lpMem_4a);
v45 = (void *)exec_ebx(1);
if ( lpMema )
free(lpMema);
v43 = (unsigned __int8 *)sub_40106F((unsigned int)"Cardinal - ");
if ( v45 )
free(v45);
sub_402029((HWND)0x52010001, 100728832, 8, -1, v43, 0);
if ( v43 )
free(v43);
}
}
}
}
}
}
}
(越看越觉得这代码像是在胡搅蛮缠) | 
发表于 2020-1-24 10:01
|
发表于 2020-1-25 13:53
发表于 2020-1-27 12:09
