{"id":579,"date":"2018-09-25T05:21:00","date_gmt":"2018-09-24T21:21:00","guid":{"rendered":"https:\/\/flandre-scarlet.moe\/blog\/?p=579"},"modified":"2019-05-14T00:57:05","modified_gmt":"2019-05-13T16:57:05","slug":"crackme-%e5%8f%8d%e6%b1%87%e7%bc%96%e7%bb%83%e4%b9%a0%e4%b9%8b-052","status":"publish","type":"post","link":"https:\/\/flandre-scarlet.moe\/blog\/579\/","title":{"rendered":"CrackMe \u53cd\u6c47\u7f16\u7ec3\u4e60\u4e4b 052"},"content":{"rendered":"

\u4f5c\u4e3a\u7ec3\u624b\u7684 160 \u4e2a CrackMe \u7cfb\u5217\u6574\u7406\u5206\u6790
\n<\/p>\n

CrackMe \u6765\u6e90\uff1a\u3010\u53cd\u6c47\u7f16\u7ec3\u4e60\u3011160\u4e2aCrackME\u7d22\u5f15\u76ee\u5f551~160\u5efa\u8bae\u6536\u85cf\u5907\u7528<\/a><\/p>\n

\u8fd9\u4e2a\u4e94\u661f\u7684\u8fd8\u771f\u6709\u70b9\u9ebb\u70e6\uff0c\u4e3b\u8981\u662f\u524d\u9762\u8fd8\u539f C \u4ee3\u7801\u82b1\u4e86\u4e0d\u5c11\u65f6\u95f42333\uff0c\u5982\u679c\u76f4\u63a5\u62bd\u4ee3\u7801\u51fa\u6765\u5e94\u8be5\u80fd\u7701\u4e0b\u4e0d\u5c11\u529f\u592b\u3002\u3002\u3002<\/p>\n

\u6574\u4e2a\u6d41\u7a0b\u662f\u8fd9\u6837\uff1a<\/p>\n

    \n
  1. \u8f93\u5165\u7528\u6237\u540d\uff0c\u8fdb\u884c u(\u7528\u6237\u540d) \u53d8\u6362\u540e\u8ba1\u7b97 md5\uff08\u6211\u90fd\u9006\u5b8c\u4e86\u624d\u53cd\u5e94\u8fc7\u6765\uff0c\u5176\u5b9e\u770b\u5230\u90a3\u7ec4\u521d\u59cb key \u5c31\u8be5\u6ce8\u610f\u5230\u7684\uff0c\u800c\u4e14\u6ca1\u628a\u4e00\u5f00\u59cb\u7528 PEiD \u770b\u5230\u7684 md5 \u7b97\u6cd5\u5f53\u56de\u4e8b\u3002\u3002OTZ\uff09\uff0c\u5f97\u5230\u4e00\u4e2a\u7ed3\u679c key\uff1b<\/li>\n
  2. \u4ee5\u8f93\u5165\u7684\u6ce8\u518c\u7801\u4e3a\u521d\u59cb\u503c\uff0c\u7ecf\u8fc7 code = f(input) \u7684\u53d8\u6362\u540e\uff0c\u5c06 key \u4e0e code \u8fdb\u884c\u6bd4\u8f83\uff0c\u76f8\u7b49\u5c31\u901a\u8fc7\u6821\u9a8c\u3002<\/li>\n<\/ol>\n

    \u5176\u4e2d u(\u7528\u6237\u540d) = \u7528\u6237\u540d+\u7528\u6237\u540d\u53cd\u8f6c+\u4ea7\u54c1ID+\u6240\u6709\u8005ID\u3002\u540e\u9762\u4e24\u4e2a\u5206\u522b\u662f\u6ce8\u518c\u8868\u4e2d HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion \u91cc\u7684 ProductId \u548c RegisteredOwner\u3002\u5982\u679c RegisteredOwner \u4e0d\u5b58\u5728\u5c06\u4f1a\u7528 ProductId \u66ff\u4ee3\uff0c\u5373\u63a5\u4e0a\u4e24\u4e2a ProductId\u3002<\/p>\n

    \u65e2\u7136\u662f md5 \uff0c\u90a3\u4e48\u8fd9\u6837\u53ea\u80fd\u5728 f \u4e0a\u4e0b\u624b\u4e86\uff0c\u9996\u5148\u8fd8\u539f\u56de\u6765\u7684 f \u5927\u6982\u957f\u8fd9\u6837\uff1a<\/p>\n

    \r\nunsigned int* ParseCode(unsigned int *input, int time)\r\n{\r\n    DWORD esi, edi, eax, ecx, ebx, edx, ebp;\r\n    esi = input[0];\r\n    edi = input[1];\r\n    while (time--)\r\n    {\r\n        v18 = ebp = edi >> 31\r\n        edx:eax = Lshl(edi:esi, 1)\r\n        ebp = edx\r\n        edi = ebp\r\n        ecx = v18 | eax\r\n        edx = 0\r\n        eax = esi = ecx\r\n        eax &= 4\r\n        edx:eax = Lshl(edx:eax, 0xb)\r\n        ecx = esi\r\n        ecx &= 0x2000\r\n        eax &= ecx\r\n        edx:eax = Lshl(edx:eax, 0x12)\r\n        ecx = esi\r\n        edx ^= ebp\r\n        ecx &= 0x80000000\r\n        eax ^= ecx\r\n        edx:eax = Lshl(edx:eax, 0x1)\r\n        esi ^= eax\r\n        edi ^= edx\r\n    }\r\n    input[0] = esi;\r\n    input[1] = edi;\r\n    return input;\r\n}\r\n<\/pre>\n
    \u8fd9\u91cc\u53ea\u662f\u7b80\u5355\u5730\u8fd8\u539f\u4e86\u4e00\u4e0b\uff0c\u5176\u4e2d edx:eax \u8868\u793a 64 \u4e3a\u6574\u6570\uff0cedx \u4e3a\u9ad8 32 \u4f4d\u3002Lshl \u662f 64 \u4f4d\u65e0\u7b26\u53f7\u5de6\u79fb\u7684\u4e00\u4e2a\u5305\u88c5\u3002\u7a0d\u4f5c\u6574\u7406\uff0c\u505a\u70b9\u7b49\u6548\u53d8\u6362\uff0c\u7136\u540e\u5206\u6790\u4e00\u4e0b\u6709\u6ca1\u6709\u53ef\u4ee5\u7b80\u5316\u7684\u8ba1\u7b97\u6b65\u9aa4\u3002<\/p>\n
    \u9996\u5148\u9700\u8981\u53d1\u73b0 v18 \u548c esi\u3001edi\uff0c\u4ee5\u53ca\u4e00\u5f00\u59cb\u5de6\u79fb\u4e00\u4f4d\u4e4b\u95f4\u7684\u5173\u7cfb\uff0c\u5176\u5b9e\u5c31\u662f\u4e00\u4e2a\u5faa\u73af\u5de6\u79fb\u3002\u7cbe\u7b80\u540e\u5f97\u5230\u4e0b\u9762\u7684\u4ee3\u7801\u3002<\/p>\n
    \r\nunsigned int* ParseCode(unsigned int *input, int time)\r\n{\r\n    DWORD esi, edi, eax, ecx, ebx, edx, ebp;\r\n    esi = input[0];\r\n    edi = input[1];\r\n    while (time--)\r\n    {\r\n        Rol64((unsigned __int64)edi << 32 | esi, 1, &edi, &esi);\r\n        \/\/ eax \u5f62\u5982 00000000 00000000 00000000 00000?00\r\n        eax = (esi) & 4;\r\n        edx = 0;\r\n\r\n        Lshl(edx, eax, 0xb, &edx, &eax);\r\n        \/\/ eax \u5f62\u5982 00000000 00000000 00?00000 00000000\r\n        ecx = esi & 0x2000;\r\n        eax ^= ecx;\r\n\r\n        Lshl(edx, eax, 0x12, &edx, &eax);\r\n        \/\/ eax \u5f62\u5982 ?0000000 00000000 00000000 00000000\r\n        ecx = esi & 0x80000000;\r\n        eax ^= ecx;\r\n\r\n        Lshl(edx, eax, 0x1, &edx, &eax);\r\n        \/\/ eax === 0\r\n        \/\/ \u6b64\u65f6 edx \u7b49\u4e8e !!(esi & 4) ^ !!(esi & 0x2000) ^ !!(esi & 0x80000000)\r\n        edi ^= edx;\r\n    }\r\n    input[0] = esi;\r\n    input[1] = edi;\r\n    return input;\r\n}\r\n<\/pre>\n
    \u65e2\u7136\u5f00\u5934\u7684\u4f4d\u79fb\u662f\u5faa\u73af\u4f4d\u79fb\uff0c\u90a3\u4e48\u9996\u5148\u53ef\u4ee5\u653e\u70b9\u5fc3\u4e86\u3002\u7136\u540e\u89c2\u5bdf\u8fd9\u4e09\u7ec4\u770b\u4f3c\u65e0\u89c4\u5f8b\u7684\u4f4d\u4e0e\u548c\u5f02\u6216\uff0c\u597d\u5427\u6211\u5199\u5728\u6ce8\u91ca\u91cc\u4e86\uff0c\u56e0\u4e3a\u9ad8\u4f4d\u7684 edx \u4e3a 0\uff0c\u4f4e\u4f4d\u7684 eax \u7ecf\u8fc7\u4e00\u901a\u5de6\u79fb\u4e5f\u53d8\u4e3a 0 \u4e86\uff0c\u7136\u540e\u4ec5\u6709\u7684\u4e00\u4e2a\u6709\u6548\u4f4d\u88ab\u79fb\u5165 edx \u6700\u4f4e\u4f4d\uff0c\u6700\u540e\u7b80\u5316\u7684\u7ed3\u679c\u5c31\u662f\u4e0b\u9762\u8fd9\u6837\uff1a<\/p>\n
    \r\nunsigned int* ParseCode(unsigned int *input, int time)\r\n{\r\n    DWORD esi, edi;\r\n    esi = input[0];\r\n    edi = input[1];\r\n    while (time--)\r\n    {\r\n        Rol64((unsigned __int64)edi << 32 | esi, 1, &edi, &esi);\r\n        edi ^= (!!(esi & 0x4) ^ !!(esi & 0x2000) ^ !!(esi & 0x80000000));\r\n    }\r\n    input[0] = esi;\r\n    input[1] = edi;\r\n    return input;\r\n}\r\n<\/pre>\n
    f \u7684\u9006\u5c31\u4e0d\u7528\u591a\u8bf4\u4e86\u5427\u3002<\/p>\n
    \u81f3\u4e8e md5 \u7b97\u6cd5\u7684\u8fd8\u539f\u3002\u3002\u3002\u96be\u5ea6\u4e0d\u5927\uff08\u90fd\u77e5\u9053 md5 \u4e86\uff09\uff0c\u91cc\u9762\u6709\u4e00\u6bb5\u8bfb\u53d6\u4e86 exe \u7684\u5185\u5b58\uff0c\u6240\u4ee5\u8981\u628a\u5b83\u4eec\u62d6\u8fc7\u6765\u3002\u4e2d\u95f4\u7684\u7ffb\u8bd1\u8fc7\u7a0b\u7ec6\u5fc3\u70b9\u4e0d\u8981\u770b\u9519\u4e86\u5c31\u597d\u3002\u3002\u3002\u6709\u4e9b\u5730\u65b9\u6211\u4e00\u5f00\u59cb\u4e5f\u641e\u9519\uff0c\u6bd4\u5982\u7b2c\u4e00\u4e2a\u5faa\u73af\u91cc\u7684\u7b2c\u4e09\u4e2a\u548c\u7b2c\u56db\u4e2a\uff0c\u8ba1\u7b97\u5faa\u73af\u5de6\u79fb\u7528\u7684\u5730\u5740\u4e00\u76f4\u662f\u56fa\u5b9a\u7684 constAddr1[0] \u548c constAddr1[1]\uff0c\u6211\u4e00\u5f00\u59cb\u5f04\u6210 constAddr1[ii] \u4e86\uff0c\u7136\u540e\u7b97\u51fa\u7ed3\u679c\u5f53\u7136\u4e0d\u5bf9\u5566\u3002<\/p>\n
    \"result\"<\/p>\n
    \u6700\u540e\u9644\u4e0a\u6ce8\u518c\u673a\u6e90\u7801\uff1a<\/p>\n
    \r\n#include <cassert>\r\n#include <array>\r\n#include <cstring>\r\n#include <windows.h>\r\n\r\nstd::array<std::pair<int, int>, 16> constAddr1 = {\r\n    std::pair<int,int>(0x41b0b0, 0xD76AA478),\r\n    std::pair<int,int>(0x41b0b4, 0xE8C7B756),\r\n    std::pair<int,int>(0x41b0b8, 0x242070DB),\r\n    std::pair<int,int>(0x41b0bc, 0xC1BDCEEE),\r\n    std::pair<int,int>(0x41b0c0, 0xF57C0FAF),\r\n    std::pair<int,int>(0x41b0c4, 0x4787C62A),\r\n    std::pair<int,int>(0x41b0c8, 0xA8304613),\r\n    std::pair<int,int>(0x41b0cc, 0xFD469501),\r\n    std::pair<int,int>(0x41b0d0, 0x698098D8),\r\n    std::pair<int,int>(0x41b0d4, 0x8B44F7AF),\r\n    std::pair<int,int>(0x41b0d8, 0xFFFF5BB1),\r\n    std::pair<int,int>(0x41b0dc, 0x895CD7BE),\r\n    std::pair<int,int>(0x41b0e0, 0x6B901122),\r\n    std::pair<int,int>(0x41b0e4, 0xFD987193),\r\n    std::pair<int,int>(0x41b0e8, 0xA679438E),\r\n    std::pair<int,int>(0x41b0ec, 0x49B40821),\r\n};\r\nstd::array<std::pair<int, int>, 16> constAddr2 = {\r\n    std::pair<int,int>(0x41b0f0, 0xF61E2562),\r\n    std::pair<int,int>(0x41b0f4, 0xC040B340),\r\n    std::pair<int,int>(0x41b0f8, 0x265E5A51),\r\n    std::pair<int,int>(0x41b0fc, 0xE9B6C7AA),\r\n    std::pair<int,int>(0x41b100, 0xD62F105D),\r\n    std::pair<int,int>(0x41b104, 0x02441453),\r\n    std::pair<int,int>(0x41b108, 0xD8A1E681),\r\n    std::pair<int,int>(0x41b10c, 0xE7D3FBC8),\r\n    std::pair<int,int>(0x41b110, 0x21E1CDE6),\r\n    std::pair<int,int>(0x41b114, 0xC33707D6),\r\n    std::pair<int,int>(0x41b118, 0xF4D50D87),\r\n    std::pair<int,int>(0x41b11c, 0x455A14ED),\r\n    std::pair<int,int>(0x41b120, 0xA9E3E905),\r\n    std::pair<int,int>(0x41b124, 0xFCEFA3F8),\r\n    std::pair<int,int>(0x41b128, 0x676F02D9),\r\n    std::pair<int,int>(0x41b12c, 0x8D2A4C8A),\r\n};\r\nstd::array<std::pair<int, int>, 16> constAddr3 = {\r\n    std::pair<int,int>(0x41b130, 0xFFFA3942),\r\n    std::pair<int,int>(0x41b134, 0x8771F681),\r\n    std::pair<int,int>(0x41b138, 0x6D9D6122),\r\n    std::pair<int,int>(0x41b13c, 0xFDE5380C),\r\n    std::pair<int,int>(0x41b140, 0xA4BEEA44),\r\n    std::pair<int,int>(0x41b144, 0x4BDECFA9),\r\n    std::pair<int,int>(0x41b148, 0xF6BB4B60),\r\n    std::pair<int,int>(0x41b14c, 0xBEBFBC70),\r\n    std::pair<int,int>(0x41b150, 0x289B7EC6),\r\n    std::pair<int,int>(0x41b154, 0xEAA127FA),\r\n    std::pair<int,int>(0x41b158, 0xD4EF3085),\r\n    std::pair<int,int>(0x41b15c, 0x04881D05),\r\n    std::pair<int,int>(0x41b160, 0xD9D4D039),\r\n    std::pair<int,int>(0x41b164, 0xE6DB99E5),\r\n    std::pair<int,int>(0x41b168, 0x1FA27CF8),\r\n    std::pair<int,int>(0x41b16c, 0xC4AC5665),\r\n};\r\nstd::array<std::pair<int, int>, 16> constAddr4 = {\r\n    std::pair<int,int>(0x41b170, 0xF4292244),\r\n    std::pair<int,int>(0x41b174, 0x432AFF97),\r\n    std::pair<int,int>(0x41b178, 0xAB9423A7),\r\n    std::pair<int,int>(0x41b17c, 0xFC93A039),\r\n    std::pair<int,int>(0x41b180, 0x655B59C3),\r\n    std::pair<int,int>(0x41b184, 0x8F0CCC92),\r\n    std::pair<int,int>(0x41b188, 0xFFEFF47D),\r\n    std::pair<int,int>(0x41b18c, 0x85845DD1),\r\n    std::pair<int,int>(0x41b190, 0x6FA87E4F),\r\n    std::pair<int,int>(0x41b194, 0xFE2CE6E0),\r\n    std::pair<int,int>(0x41b198, 0xA3014314),\r\n    std::pair<int,int>(0x41b19c, 0x4E0811A1),\r\n    std::pair<int,int>(0x41b1a0, 0xF7537E82),\r\n    std::pair<int,int>(0x41b1a4, 0xBD3AF235),\r\n    std::pair<int,int>(0x41b1a8, 0x2AD7D2BB),\r\n    std::pair<int,int>(0x41b1ac, 0xEB86D391),\r\n};\r\n\r\nDWORD AddressValue(DWORD addr)\r\n{\r\n    for (auto& p : constAddr1) if (p.first == addr) return p.second;\r\n    for (auto& p : constAddr2) if (p.first == addr) return p.second;\r\n    for (auto& p : constAddr3) if (p.first == addr) return p.second;\r\n    for (auto& p : constAddr4) if (p.first == addr) return p.second;\r\n\r\n    assert("address not found." && 0);\r\n    return 0;\r\n}\r\n\r\n\r\nint Rol(int a1, char a2)\r\n{\r\n    __asm {\r\n        mov eax, a1\r\n        mov cl, a2\r\n        rol eax, cl\r\n        mov a1, eax\r\n    }\r\n    return a1;\r\n}\r\n\r\n\/\/ 0x401700\r\nunsigned int* ComputeKey(char* str, unsigned int *key)\r\n{\r\n    int esi = key[0];\r\n    int edi = key[1];\r\n    int ebp = key[2];\r\n    int ebx = key[3];\r\n\r\n    PDWORD v11 = PDWORD(str + 8);\r\n    int ii = 0;\r\n    for (int i = 0; i < 4; ++i)\r\n    {\r\n        esi = edi + Rol(constAddr1[ii].second + (edi & ebp | ebx & ~edi) + esi + v11[-2], 7);\r\n        ebx = esi + Rol(constAddr1[ii+1].second + (esi & edi | ebp & ~esi) + ebx + v11[-1], 12);\r\n        ebp = ebx + Rol(AddressValue((DWORD)((char *)v11 + constAddr1[0].first - str)) + (esi & ebx | edi & ~ebx) + ebp + v11[0], 17);\r\n        edi = ebp + Rol(AddressValue((DWORD)((char *)v11 + constAddr1[1].first - str)) + (ebp & ebx | esi & ~ebp) + edi + v11[1], 22);\r\n        ii += 4;\r\n        v11 += 4;       \/\/ \u4e00\u6b21\u52a0 16 \u5b57\u8282\r\n    }\r\n\r\n    ii = 0;\r\n    BYTE original_6 = 6;\r\n    for (int i = 0; i < 4; ++i)\r\n    {\r\n        int v1 = Rol(constAddr2[ii].second + (edi & ebx | ebp & ~ebx) + esi + *PDWORD(str + 4 * ((original_6 - 5) & 0xF)), 5);\r\n        esi = edi + v1;\r\n        int v2 = Rol(constAddr2[ii+1].second + ((edi + v1) & ebp | edi & ~ebp) + ebx + *PDWORD(str + 4 * (original_6 & 0xF)), 9);\r\n        ebx = esi + v2;\r\n        int v3 = Rol(constAddr2[ii+2].second + (edi & (esi + v2) | esi & ~edi) + ebp + *PDWORD(str + 4 * ((original_6 + 5) & 0xF)), 14);\r\n        ebp = ebx + v3;\r\n        edi = ebp + Rol(constAddr2[ii+3].second + (esi & (ebx + v3) | ebx & ~esi) + edi + *PDWORD(str + 4 * ((original_6 - 6) & 0xF)), 20);\r\n        original_6 += 4;\r\n        ii += 4;\r\n    }\r\n\r\n    ii = 0;\r\n    int v33 = ebp ^ ebx;\r\n    BYTE original_neg_5 = -5;\r\n    int original_neg_8 = -8;\r\n    for (int i = 0; i < 4; ++i)\r\n    {\r\n        int v1 = Rol(constAddr3[ii].second + (edi ^ v33) + esi + *PDWORD(str + 4 * ((original_neg_5 - 6) & 0xF)), 4);\r\n        esi = edi + v1;\r\n        int v2 = Rol(constAddr3[ii+1].second + ((edi + v1) ^ edi ^ ebp) + ebx + *PDWORD(str + 4 * (original_neg_8 & 0xF)), 11);\r\n        ebx = esi + v2;\r\n        int v3 = Rol(constAddr3[ii+2].second + (esi ^ edi ^ (esi + v2)) + ebp + *PDWORD(str + 4 * (original_neg_5 & 0xF)), 16);\r\n        ebp = ebx + v3;\r\n        int v4 = ebp ^ ebx;\r\n        edi = ebp + Rol(constAddr3[ii+3].second + (esi ^ v4) + edi + *PDWORD(str + 4 * ((original_neg_5 + 3) & 0xF)), 23);\r\n        v33 = v4;\r\n\r\n        original_neg_8 -= 4;\r\n        original_neg_5 -= 4;\r\n        ii += 4;\r\n    }\r\n\r\n    ii = 0;\r\n    BYTE original_0 = 0;\r\n    BYTE original_neg_2 = -2;\r\n    for (int i = 0; i < 4; ++i)\r\n    {\r\n        int v1 = Rol(constAddr4[ii].second + (ebp ^ (edi | ~ebx)) + esi + *PDWORD(str + 4 * (original_0 & 0xF)), 6);\r\n        esi = edi + v1;\r\n        int v2 = Rol(constAddr4[ii+1].second + (edi ^ ((edi + v1) | ~ebp)) + ebx + *PDWORD(str + 4 * ((original_neg_2 - 7) & 0xF)), 10);\r\n        ebx = esi + v2;\r\n        int v3 = Rol(constAddr4[ii+2].second + (esi ^ ((esi + v2) | ~edi)) + ebp + *PDWORD(str + 4 * (original_neg_2 & 0xF)), 15);\r\n        ebp = ebx + v3;\r\n        edi = ebp + Rol(constAddr4[ii+3].second + (ebx ^ ((ebx + v3) | ~esi)) + edi + *PDWORD(str + 4 * ((original_neg_2 + 7) & 0xF)), 21);\r\n\r\n        original_0 -= 4;\r\n        original_neg_2 -= 4;\r\n        ii += 4;\r\n    }\r\n\r\n    key[0] += esi;\r\n    key[1] += edi;\r\n    key[2] += ebp;\r\n    key[3] += ebx;\r\n    return key;\r\n}\r\n\r\nunsigned __int64 Lshl(DWORD high, DWORD low, int shift, PDWORD high1, PDWORD low1)\r\n{\r\n    unsigned __int64 v1 = (unsigned __int64)high << 32 | low;\r\n    v1 <<= shift;\r\n    *high1 = (DWORD)(v1 >> 32);\r\n    *low1 = (DWORD)v1;\r\n    return v1;\r\n}\r\n\r\nunsigned __int64 Rol64(unsigned __int64 a, char shift, PDWORD high1, PDWORD low1)\r\n{\r\n    unsigned __int64 v1 = (a << shift) | (a >> (64 - shift));\r\n    *high1 = (DWORD)(v1 >> 32);\r\n    *low1 = (DWORD)v1;\r\n    return v1;\r\n}\r\n\r\nunsigned __int64 Ror64(unsigned __int64 a, char shift, PDWORD high1, PDWORD low1)\r\n{\r\n    unsigned __int64 v1 = (a >> shift) | (a << (64 - shift));\r\n    *high1 = (DWORD)(v1 >> 32);\r\n    *low1 = (DWORD)v1;\r\n    return v1;\r\n}\r\n\r\nunsigned int* ParseCodeReverse(unsigned int *a1, int a2)\r\n{\r\n    DWORD esi, edi;\r\n    esi = a1[0];\r\n    edi = a1[1];\r\n    while (a2--)\r\n    {\r\n        edi ^= (!!(esi & 0x4) ^ !!(esi & 0x2000) ^ !!(esi & 0x80000000));\r\n        Ror64((unsigned __int64)edi << 32 | esi, 1, &edi, &esi);\r\n    }\r\n    a1[0] = esi;\r\n    a1[1] = edi;\r\n    return 0;\r\n}\r\n\r\nunsigned int* ParseCode(unsigned int *a1, int a2)\r\n{\r\n    DWORD esi, edi;\r\n    esi = a1[0];\r\n    edi = a1[1];\r\n    while (a2--)\r\n    {\r\n        Rol64((unsigned __int64)edi << 32 | esi, 1, &edi, &esi);\r\n        edi ^= (!!(esi & 0x4) ^ !!(esi & 0x2000) ^ !!(esi & 0x80000000));\r\n    }\r\n    a1[0] = esi;\r\n    a1[1] = edi;\r\n    return 0;\r\n}\r\n\r\nint main(int argc, char**argv)\r\n{\r\n    \/\/ argv[1] = Name\r\n    \/\/ argv[2] = ProductId\r\n    \/\/ argv[3] = RegisteredOwner\r\n    if (argc != 4)\r\n        abort();\r\n\r\n    char str[512];\r\n    strcpy_s(str, sizeof(str), argv[1]);\r\n    strcat_s(str, sizeof(str), _strrev(argv[1]));\r\n    strcat_s(str, sizeof(str), argv[2]);\r\n    strcat_s(str, sizeof(str), argv[3]);\r\n    memset(str + strlen(str), 0, sizeof(str) - strlen(str));\r\n\r\n    int pos = 0x40 - (strlen(str) + 1) & 0x3f;\r\n    if (pos <= 7) pos += 0x40;\r\n    pos += strlen(str) + 1;\r\n    str[strlen(str)] = '\\x80';\r\n    *PDWORD(str + pos - 8) = strlen(str) * 8;\r\n\r\n    unsigned int key[4] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476 };\r\n\r\n    for (int i = 0; i < pos; i += 0x40)\r\n        ComputeKey(str + i, key);\r\n    key[0] &= 0xffff;\r\n\r\n    for (int i = 2; i >= 0; --i)        \/\/ i \u4e5f\u8981\u5012\u8fc7\u6765\r\n        ParseCodeReverse(&key[i], 0xbadc0de \/ (0x50 + i));\r\n\r\n    printf("%#x %#x %#x %#x\\n", key[0], key[1], key[2], key[3]);\r\n    return 0;\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
    \u4f5c\u4e3a\u7ec3\u624b\u7684 160 \u4e2a CrackMe \u7cfb\u5217\u6574\u7406\u5206\u6790… <\/p>\n
    \u9605\u8bfb\u66f4\u591a<\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31],"tags":[32,33],"class_list":["post-579","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","tag-crackme","tag-33"],"_links":{"self":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts\/579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/comments?post=579"}],"version-history":[{"count":0,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/posts\/579\/revisions"}],"wp:attachment":[{"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/media?parent=579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/categories?post=579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/flandre-scarlet.moe\/blog\/wp-json\/wp\/v2\/tags?post=579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}