首先帖出我逆的关键函数:
代码:
void CreateOutCode(DWORD *snCode,char *outCode,DWORD *userCode) { DWORD var_4; DWORD var_8; DWORD var_C; DWORD var_10; DWORD tempKey[0xC]; DWORD tempCode[0x30]; DWORD var_104,var_108,var_10C,var_110,var_114,var_118,var_11C,var_120,var_124; var_4 = 0; var_8 = 0; var_C = 0; var_10 = 0; for(var_4=0;var_4<0xC;var_4++) { tempKey[var_4]=0x1E; } var_104 = 0; var_108 = 0; if (snCode[0]>0) { var_104 = 0xC/snCode[0]; } var_10C = 0; while(var_108<0x02) { if(var_10C>0) { tempKey[userCode[var_10C-0x01]] = 0x1E; } var_10C = 0; while(var_10C<0x0C) { if(var_10C>0) { //从第二位开始,保证上一位的临时值为0x1E tempKey[userCode[var_10C-0x01]] = 0x1E; } if(var_108==0) { //前半段,当前的临时值为0x28 tempKey[userCode[var_10C]] = 0x28; var_10C++; } if(var_108==0x01) { //前半段,当前的临时值为0x14 tempKey[userCode[var_10C]] = 0x14; var_10C++; } var_4 = 0; var_C = 0; while (var_4<snCode[0]) { //根据输入的注册码的值,决定执行次数,第一位为0时,不执行。不位0时,执行 snCode[0] 次 var_8 = 0; while (var_8<var_104) { //这里也是根据输入的注册码的值,决定执行次数,第一位为0时,不执行。 不位0时,执行 0xC/snCode[0] 次 tempCode[var_4*0x04+var_8]=tempKey[var_C]; //tempKey 只有前三位有效 var_C++; var_8++; } var_4++; }//本循环执行0C次 var_110 = 0; var_114 = 0; var_4 = 0; while (var_4<var_104) { //这里也是根据输入的注册码的值,决定执行次数,第一位为0时,不执行。 不位0时,执行 0xC/snCode[0] 次 //可以决定输出哪些几个字符,控制方法,snCode[0]!=0 var_110 += tempCode[snCode[0x01]*0x04+var_4]; var_114 += tempCode[snCode[0x02]*0x04+var_4]; var_4 ++; } if (var_110==var_114) { //如果snCode[0] == 0 这里永真执行,那么,输出就只有'i','j','k','l'这四个字符,所以snCode[0] 不能为0 //那么,要输出ijkl,就要保证 tempCode[snCode[0x01]*0x04+var_4] = tempCode[snCode[0x01]*0x04+var_4] //同时,需要保证snCode[0x01]!=snCode[0x01] ,否则,也是永真执行 if(tempCode[snCode[0x03]*0x04+snCode[0x04]]!=tempCode[snCode[0x05]*0x04+snCode[0x06]]) { if(tempCode[snCode[0x07]*0x04+snCode[0x08]]!=tempCode[snCode[0x09]*0x04+snCode[0xA]]) { outCode[var_10] = 'i'; var_10 ++; } else { outCode[var_10] = 'j'; var_10 ++; } } else { if(tempCode[snCode[0x07]*0x04+snCode[0x08]]!=tempCode[snCode[0x09]*0x04+snCode[0xA]]) { outCode[var_10] = 'k'; var_10 ++; } else { outCode[var_10] = 'l'; var_10 ++; } } } if (var_110>var_114) { var_4 = 0; var_118 = 0; var_11C = 0; tempCode[snCode[0x1]*0x4+snCode[0x0B]] = tempCode[snCode[0x0C]*0x4+snCode[0x0D]]; tempCode[snCode[0x1]*0x4+snCode[0x0E]] = tempCode[snCode[0x0F]*0x4+snCode[0x10]]; tempCode[snCode[0x1]*0x4+snCode[0x11]] = tempCode[snCode[0x12]*0x4+snCode[0x13]]; tempCode[snCode[0x2]*0x4+snCode[0x14]] = tempCode[snCode[0x15]*0x4+snCode[0x16]]; tempCode[snCode[0x2]*0x4+snCode[0x17]] = tempCode[snCode[0x18]*0x4+snCode[0x19]]; tempCode[snCode[0x2]*0x4+snCode[0x1A]] = tempCode[snCode[0x1B]*0x4+snCode[0x1C]]; while (var_4<var_104) { //这里也是根据输入的注册码的值,决定执行次数,第一位为0时,不执行。 不位0时,执行 0xC/snCode[0] 次 //可以决定输出哪些几个字符,控制方法,snCode[0]!=0 var_118 += tempCode[snCode[0x01]*0x04+var_4]; var_11C += tempCode[snCode[0x02]*0x04+var_4]; var_4++; } if (var_118>var_11C) { if(tempCode[snCode[0x1D]*0x04+snCode[0x1E]]!=tempCode[snCode[0x1F]*0x04+snCode[0x20]]) { outCode[var_10] = 'a'; var_10 ++; } else { outCode[var_10] = 'e'; var_10 ++; } } if (var_118<var_11C) { if(tempCode[snCode[0x21]*0x04+snCode[0x22]]>tempCode[snCode[0x23]*0x04+snCode[0x24]]) { outCode[var_10] = 'g'; var_10 ++; } if(tempCode[snCode[0x21]*0x04+snCode[0x22]]<tempCode[snCode[0x23]*0x04+snCode[0x24]]) { outCode[var_10] = 'f'; var_10 ++; } if(tempCode[snCode[0x21]*0x04+snCode[0x22]]==tempCode[snCode[0x23]*0x04+snCode[0x24]]) { outCode[var_10] = 'h'; var_10 ++; } } if (var_118==var_11C) { var_4 = 0; var_C = 0; while (var_4<snCode[0]) { var_8 = 0; while (var_8<var_104) { tempCode[var_4*0x04+var_8]=tempKey[var_C]; var_C++; var_8++; } var_4++; } if(tempCode[snCode[0x25]*0x04+snCode[0x26]]>tempCode[snCode[0x27]*0x04+snCode[0x28]]) { outCode[var_10] = 'b'; var_10 ++; } if(tempCode[snCode[0x25]*0x04+snCode[0x26]]<tempCode[snCode[0x27]*0x04+snCode[0x28]]) { outCode[var_10] = 'c'; var_10 ++; } if(tempCode[snCode[0x25]*0x04+snCode[0x26]]==tempCode[snCode[0x27]*0x04+snCode[0x28]]) { outCode[var_10] = 'd'; var_10 ++; } } } if (var_110<var_114) { var_4 = 0; var_120 = 0; var_124 = 0; tempCode[snCode[0x1]*0x4+snCode[0x0B]] = tempCode[snCode[0x0C]*0x4+snCode[0x0D]]; tempCode[snCode[0x1]*0x4+snCode[0x0E]] = tempCode[snCode[0x0F]*0x4+snCode[0x10]]; tempCode[snCode[0x1]*0x4+snCode[0x11]] = tempCode[snCode[0x12]*0x4+snCode[0x13]]; tempCode[snCode[0x2]*0x4+snCode[0x14]] = tempCode[snCode[0x15]*0x4+snCode[0x16]]; tempCode[snCode[0x2]*0x4+snCode[0x17]] = tempCode[snCode[0x18]*0x4+snCode[0x19]]; tempCode[snCode[0x2]*0x4+snCode[0x1A]] = tempCode[snCode[0x1B]*0x4+snCode[0x1C]]; while (var_4<var_104) { //这里可以决定输出哪些几个字符,控制方法,snCode[0]!=0 snCode[1]!=snCode[2] var_120 += tempCode[snCode[0x01]*0x04+var_4]; var_124 += tempCode[snCode[0x02]*0x04+var_4]; var_4++; } if (var_120>var_124) { if(tempCode[snCode[0x29]*0x04+snCode[0x2A]]>tempCode[snCode[0x2B]*0x04+snCode[0x2C]]) { outCode[var_10] = 'f'; var_10 ++; } if(tempCode[snCode[0x29]*0x04+snCode[0x2A]]<tempCode[snCode[0x2B]*0x04+snCode[0x2C]]) { //这里是一个关键地方。看起来像是条件错误,仔细分析,却大有文章 //但outCode[var_10] = 'g' 时,var_10++了。同时,下面的条件也执行了 //那么,可以说明g的后面,肯定是输出h outCode[var_10] = 'g'; var_10 ++; } if(tempCode[snCode[0x29]*0x04+snCode[0x2A]]<tempCode[snCode[0x2B]*0x04+snCode[0x2C]]) { outCode[var_10] = 'h'; var_10 ++; } } if (var_120<var_124) { if(tempCode[snCode[0x2D]*0x04+snCode[0x2E]]!=tempCode[snCode[0x2F]*0x04+snCode[0x30]]) { outCode[var_10] = 'a'; var_10 ++; } else { outCode[var_10] = 'e'; var_10 ++; } } if (var_120==var_124) { var_4 = 0; var_C = 0; while (var_4<snCode[0]) { var_8 = 0; while (var_8<var_104) { tempCode[var_4*0x04+var_8]=tempKey[var_C]; var_C++; var_8++; } var_4++; } if(tempCode[snCode[0x31]*0x04+snCode[0x32]]>tempCode[snCode[0x33]*0x04+snCode[0x34]]) { outCode[var_10] = 'c'; var_10 ++; } if(tempCode[snCode[0x25]*0x04+snCode[0x26]]<tempCode[snCode[0x27]*0x04+snCode[0x28]]) { outCode[var_10] = 'b'; var_10 ++; } if(tempCode[snCode[0x25]*0x04+snCode[0x26]]==tempCode[snCode[0x27]*0x04+snCode[0x28]]) { outCode[var_10] = 'd'; var_10 ++; } } } } var_108++; } }
我对这一题的理解,主要是在SN的输入。下面的表达,有点乱,呵呵
char szUser[]="aebcdfijklgh";
char szSn[0x36]={'3','0','1',
//--------------------------------------
'2','0','2','1', //1(==) 'i','j' (!=), 'k','l' (==) 3,4,5,6
'2','0','2','2', // 'i'(!=),'j'(==),'k'(!=),'l'(==) 7,8,9,A
//-------------------------------------- 这里对tempCode 进行交换,达到流程的控制
'0','0','0', //tempCode Edit 1[1] B,C,D
'3','1','1', //tempCode Edit 1[2] E,F,10
'2','1','2', //tempCode Edit 1[3] 11,12,13
//--------------------------------------
'0','1','0', //tempCode Edit 2[1] 14,15,16
'1','0','1', //tempCode Edit 2[2] 17,18,19
'2','2','1', //tempCode Edit 2[3] 1A,1B,1C
//--------------------------------------
'0','0','0','2', // 1(>) 2(>) OUT 'a'(!=),'e' 1D,1E,1F,20
//--------------------------------------
'0','2','0','3', // 1(>) 2(<) OUT 'g'(>),'f'(<),'h'(==) 21,22,23,24
//--------------------------------------
'0','1','0','2', // 1(<) 2(==) OUT 'b'(<),'d'(==) 25,26,27,28
// 1(>) 2(==) OUT 'b'(>),'c'(<),'d'(==)
//--------------------------------------
'0','3','0','2', // 1(<) 2(>) OUT 'f'(>),'g''h'(<) 29,2A,2B,2C
//--------------------------------------
'0','1','1','3', // 1(<) 2(<) OUT 'a'(!=),'e' 2D,2E,2F,30
//--------------------------------------
'0','1','1','0'}; // 1(<) 2(==) OUT 'c'(>) 31,32,33,34
这是我一个失败的作品。
我帖出来,是希望有人能指出我错误的地方。
谢谢!