Bootstrap

01Editor最新破解

01Editor最新版注册算法逆向

1.定位注册算法代码

【版本】 13.0.1   64 b i t \textcolor{green}{【版本】13.0.1\ 64bit} 【版本】13.0.1 64bit

注册的提示信息还有界面的提示信息很丰富,这为我们定位关键代码提供了充分的线索。将01Editor拖入IDA分析,直接字符串搜索“Thank you for purchasing 010 Editor!”就来到了关键位置( R V A = 0 x 210520 \textcolor{orange}{RVA = 0x210520} RVA=0x210520)。

2.整体注册算法

  1. 判断序列号是否包含空格,有空格就是非法的序列号

在这里插入图片描述

  1. 判断序列号格式是否符合XXXX-XXXX-XXXX-XXXX

在这里插入图片描述

  1. 对序列号进行简单的字符替换

在这里插入图片描述

  1. 进入序列号和用户名加密运算验证(*重点部分,后面再说。这里用 C h e c k 1 \textcolor{cornflowerblue}{Check1} Check1代替),会返回一个结果,这里用rs1代替。

  2. 进入第二处验证,用 C h e c k 2 \textcolor{cornflowerblue}{Check2} Check2代替,返回结果用rs2代替。

  3. 网络验证。发现最新版没有走网络验证。。。。因为有处条件永不满足

在这里插入图片描述

  1. 用rs1和rs2作为注册的最终结果进行反馈,可以确定 r s 2 = = 0 x D B \textcolor{orange}{rs2 == 0xDB} rs2==0xDB就是我们期望的结果

在这里插入图片描述

3.Check1算法分析

  1. 先判断用户名和序列号的长度均不为0才能往下验证,否则直接返回0x93

  2. 再次检查序列号格式,并按照自定义方法将序列号转成16进制的字节数组

在这里插入图片描述

  • 序列号的长度分为两种0x130x18

  • 转换结果用hb代称,hb中的每一个元素都是 serial 中除 ‘-’ 元素外的两两元素组合而成。 C h a r _ T r a n s F o r m \textcolor{cornflowerblue}{Char\_TransForm} Char_TransForm实现:

  • __int64 __fastcall Jmp_CharTransForm(__int64 a1, char a2)
    {
      if ( (unsigned __int8)(a2 - 0x30) <= 9u )
        return (unsigned int)(a2 - 0x30);
      if ( ((a2 - 'O') & 0xDF) == 0 )               // 只有a2 == 'O' 才满足,但是前面预处理的时候将'O'换成了0,
                                                    // 因此这里永不满足。
        return 0i64;
      if ( a2 == 'l' )
        return 1i64;
      if ( (unsigned __int8)(a2 - 'a') <= 0x19u )
        return a2 - (unsigned int)'W';
      if ( (unsigned __int8)(a2 - 'A') <= 0x19u )
        return a2 - (unsigned int)'7';
      else
        return 0i64;
    }
    

    注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个‘ l ’或者‘ 1 ’,输出都是 1 ,反函数输入一个 1 ,输出可以任选‘ l ’和‘ 1 ’其一。 \textcolor{BrickRed}{注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个‘l’或者‘1’,输出都是1,反函数输入一个1,输出可以任选‘l’和‘1’其一。} 注意:这个函数是多对一的,所以这个函数的反函数就成了一对多。例如原函数输入一个l或者‘1’,输出都是1,反函数输入一个1,输出可以任选l‘1’其一。

    要对其进行求逆 R e C h a r T o B y t e \textcolor{cornflowerblue}{ReCharToByte} ReCharToByte,可以写成如下形式:

    char ReCharToByte(unsigned char chr)
    {
        if (chr > 1 && chr <= 9)
            return chr + 0x30;
        if (chr == 0)
        {
            // 原输入有3种情况,这里随机选一种
            switch (rand() % 3)
            {
            case 0:return chr + 0x30;
            case 1:return 'O';
            case 2:return 'o';
            }
        }
        if (chr == 1)
        {
    		switch (rand() % 2)
    		{
    		case 0:return chr + 0x30;
    		case 1:return 'l';
    		}
        }
        // 其余情况就是原本的输入是字母a-z/A-Z
        if (chr + '7' <= 'Z')
            return chr + '7';
        return chr + 'W';
    }
    
  1. 如果 U s e r N a m e [ 0 ] = = ‘ C ’ \textcolor{orange}{UserName[0] == ‘C’} UserName[0]==C ,且 U s e r N a m e [ 1 ] = = ‘ O ’ \textcolor{orange}{UserName[1] == ‘O’} UserName[1]==O,则serial不能全等于某一个字符数组(byte_B9A578)前0xA个元素的倒序;如果 U s e r N a m e [ 0 ] = = ‘ J ’ \textcolor{orange}{UserName[0] == ‘J’} UserName[0]==J ,且 U s e r N a m e [ 1 ] = = ‘ U ’ \textcolor{orange}{UserName[1] == ‘U’} UserName[1]==U,则serial不能全等于 b y t e B 9 A 578 + 0 x C \textcolor{orange}{byte_B9A578+0xC} byteB9A578+0xC0xA个元素的倒序。

在这里插入图片描述

实际这个位置的校验没多大用处。 \textcolor{green}{实际这个位置的校验没多大用处。} 实际这个位置的校验没多大用处。

  1. 根据 h b [ 3 ] \textcolor{orange}{hb[3]} hb[3]的取值,分三种处理情况:

    switch ( BYTE3(HexBytes) )                  // HexBytes[3]
        {
          case 0x9C:
            v19 = (unsigned __int8)(BYTE5(HexBytes) ^ BYTE2(HexBytes))// HexBytes[5] ^ HexBytes[2]
                + ((unsigned __int8)(HIBYTE(HexBytes) ^ BYTE1(HexBytes)) << 8);// (HexBytes[1] ^ HexBytes[7]) << 8
            ri->X1 = (unsigned __int8)Xor_1((unsigned __int8)(BYTE6(HexBytes) ^ (unsigned __int8)HexBytes));// ((a1 ^ 0x18) + 0x3D) ^ 0xA7
            v20 = (unsigned __int16)Calc_1(v19);
            ri->X2 = (unsigned __int16)v20;
            X1 = ri->X1;
            if ( X1 && (unsigned int)(v20 - 1) <= 0x3E7 )
            {
              v22 = 0;
              if ( X1 < 2 )
                v22 = ri->X1;
    End:
              QString::toUtf8(&ri->UserName, v36);  // UserName
              LOBYTE(v4) = v18 != (char)0xFC;
              v24 = QByteArray::data((QByteArray *)v36);
              v25 = Calc_2((__int64)v24, v4, v22, (unsigned int)ri->X2);
              if ( BYTE4(HexBytes) == (_BYTE)v25
                && (_BYTE)v14 == BYTE1(v25)
                && BYTE6(HexBytes) == BYTE2(v25)
                && HIBYTE(HexBytes) == HIBYTE(v25) )
              {
                if ( v18 == (char)0x9C )
                {
                  if ( v34 > ri->X1 )
                  {
                    v26 = 0x4E;
    LABEL_41:
                    QByteArray::~QByteArray((QByteArray *)v36);
                    return v26;
                  }
    LABEL_33:
                  v26 = 0x2D;
                  goto LABEL_41;
                }
                if ( v18 == (char)0xFC )
                {
                  v27 = Calc_3((unsigned __int8)HexBytes + (BYTE1(HexBytes) << 8) + (BYTE2(HexBytes) << 0x10), v25);
                  if ( v27 )
                  {
                    ri->X0 = v27;
                    v26 = 0x93;
                    goto LABEL_41;
                  }
                }
                else if ( v29 )
                {
                  if ( v35 > v29 )
                  {
                    v26 = 0x4E;
                    goto LABEL_41;
                  }
                  goto LABEL_33;
                }
              }
              v26 = 0xE7;
              goto LABEL_41;
            }
            break;
          case 0xFC:
            v22 = 0xFF;
            ri->X1 = 0xFF;
            ri->X2 = 1;
            ri->field_40 = 1;
            goto End;
          case 0xAC:
            ri->X1 = 2;
            v23 = Calc_1((unsigned __int16)((unsigned __int8)(v14 ^ v15) + ((unsigned __int8)(HIBYTE(HexBytes) ^ v16) << 8)));
            ri->X2 = v23;
            if ( (unsigned int)v23 - 1 <= 0x3E7 )
            {
              v29 = Calc_3(
                      (BYTE6(HexBytes) ^ v17)
                    + ((v14 ^ HexBytes_Off_9) << 0x10)
                    + ((HexBytes_Off_8 ^ (unsigned int)BYTE4(HexBytes)) << 8),
                      0x5B8C27i64);
              ri->field_44 = v29;
              v22 = v29;
              goto End;
            }
            break;
        }
        return 0xE7i64;
      }
      return 0x93i64;
    }
    

    由于编译器优化,这部分代码可读性比较差,手动分析整理之后得到伪代码:

    /*
    	Check1后部分的逻辑
    */
    if(len(UserName)==0 || len(Serial) == 0)
    	return 0x93;
    
    v29 = 0;
    // case 0x9C:
    v19 = (hb[5] ^ hb[2]) + ((hb[1] ^ hb[7])<<8);
    v21 = Xor_1(hb[6] ^ hb[0]); // v21
    v20 = Calc_1(v19);  //
    if(v21 && (v20-1) <= 999)
    {
    	v22 = 0;
    	if(v21 < 2)
    		v22 = v21;
    	v25 = Calc_2(UserName, True, v22, v20); // v25 是4字节长度
    	if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
    	{
    		if(0xE > v21)
    			return 0x4E;
    		return 0x2D;
    	}
    }	
    return 0xE7;
    //case 0xFC:
    v25 = Calc_2(UserName, False, 0xFF, 1); // v25 是4字节长度
    if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
    {
    	v27 = Calc_3(hb[0] + (hb[1] << 8) + (hb[2] << 0x10), v25);
    	if(v27)
    	{
    		*(_DWORD *)(a1 + 0x28) = v27;
    		return 0x93;
    	}
    }
    return 0xE7;
    
    //case 0xAC:
    v23 = Calc_1((hb[5] ^ hb[2]) + ((hb[7] ^ hb[1]) << 8));
    if ( (unsigned int)v23 - 1 <= 0x3E7 )
    {
      v29 = Calc_3(
    		  (hb[6] ^ hb[0]) + ((hb[5] ^ v41) << 0x10) + ((v40 ^ hb[4]) << 8),
    		  0x5B8C27);
      
      v25 = Calc_2(UserName, False, v29, v23); // v25 是4字节长度
      if(hb[4] == v25[0] && hb[5] == v25[1] && hb[6] == v25[2] && hb[7] == v25[3])
      {
    	  if(v29)
    	  {
    		if(0x4B2>v29)
    			return 0x4E;
    	  }
      }
    }
    return 0xE7;
    

    其中有几个函数需要关注:

    • X o r _ 1 \textcolor{cornflowerblue}{Xor\_1} Xor_1

      • char __fastcall sub_36D330(char a1)
        {
          return ((a1 ^ 0x18) + 0x3D) ^ 0xA7;
        }
        
      • 这个函数可逆,单射。逆函数 R e X o r _ 1 \textcolor{cornflowerblue}{ReXor\_1} ReXor_1

        • return ((a1 ^ 0xA7) - 0x3D) ^ 0x18;
          
    • C a l c _ 1 \textcolor{cornflowerblue}{Calc\_1} Calc_1

      • __int64 __fastcall sub_36D2A0(__int16 a1)
        {
          unsigned int v1; // r8d
        
          v1 = (unsigned __int16)((a1 ^ 0x7892) + 0x4D30) ^ 0x3421;
          if ( v1 % 0xB )
            return 0i64;
          else
            return (unsigned __int16)(v1 / 0xB);
        }
        
      • 此函数条件为真的分支存在多对1情况,导致逆函数不能保证得到正确的原函数输入,而原函数的输入在后面验证的时候还需要用到。因此,这个函数的逆函数没有意义。

    • C a l c _ 2 \textcolor{cornflowerblue}{Calc\_2} Calc_2

      • __int64 __fastcall sub_36D380(BYTE *UserName, int a2, char a3, __int64 a4)
        {
        ...
          v5 = 0;
          if ( len_username > 0 )
          {
            i = 0i64;
            v9 = 0;
            v10 = 0xF * a4;
            v11 = 0;
            v12 = 0x11 * a3;
            do
            {
              v13 = toupper(UserName[i]);
              v14 = &g_Box[v12];
              v15 = v5 + g_Box[v13];
              v16 = &g_Box[v10];
              if ( a2 )
              {
                v17 = g_Box[(unsigned __int8)(v13 + 0xD)];
                v18 = (unsigned __int8)(v13 + 0x2F);
                v19 = v9;
              }
              else
              {
                v17 = g_Box[(unsigned __int8)(v13 + 0x3F)];
                v18 = (unsigned __int8)(v13 + 0x17);
                v19 = v11;
              }
              v12 += 9;
              v10 += 13;
              v9 += 19;
              v11 += 7;
              ++i;
              v5 = *v16 + *v14 + g_Box[v19] + g_Box[v18] * (v15 ^ v17);
            }
            while ( i < len_username );
          }
          return v5;
        }
        

        此函数是将UserName编码,记为ans,用来和序列号某个部分进行对比的,所以该函数也不用求逆。

4.Check2算法分析

在这里插入图片描述

这部分校验只要返回0xDB,就表示注册成功了,这就要求Check1返回0x2D,所以重点还是在Check1

以上就是所有注册算法流程,接下来考虑如何获得正确的任意用户名的序列号。

5.获得正确的任意用户名对应的序列号

我们期望Check1返回0x2D。通过分析,得知只有一条路径可以返回,即 h b [ 3 ]   = =   0 x 9 C \textcolor{orange}{hb[3]\ ==\ 0x9C} hb[3] == 0x9C时,满足:

v19 = (hb[5] ^ hb[2]) + ((hb[1] ^ hb[7])<<8);
v20 = Calc_1(v19);
v20 - 1 < 999;
v25 = Calc_2(user, true, 0, v20);
char* a1 = reinterpret_cast<char*>(&v25);
hb[4] == a1[0] && hb[5] == a1[1] && hb[6] == a1[2] && hb[7] == a1[3]
Xor_1(hb[6] ^ hb[0]) > 0xE

从条件约束中发现,其实serial长度应该是20。我们可以先枚举hb下标为1,2,5,7对应的元素,这样枚举空间就在 25 6 4   =   4294967296 \textcolor{orange}{256^4\ =\ 4294967296} 2564 = 4294967296内,还能接受。在满足条件3、6和7,就能确定hb中的所有元素,然后反求得serial。

综合以上条件得到注册机的代码:

unsigned char g_Data[24] = { 0x43,0x4f,0x57,0xd6,0x30,0xe3,0xca,0xb9,0xac,0xab,0xa1,0xc4,0x4a,0x55,0x59,0x2a,0x35,0xe2,0xc4,0x65,0xac,0xd3,0xa4,0xcb };
unsigned int g_Box[308] = { 0x39cb44b8,0x23754f67,0x5f017211,0x3ebb24da,0x351707c6,0x63f9774b,0x17827288,0xfe74821,0x5b5f670f,0x48315ae8,0x785b7769,0x2b7a1547,0x38d11292,0x42a11b32,0x35332244,0x77437b60,0x1eab3b10,0x53810000,0x1d0212ae,0x6f0377a8,0x43c03092,0x2d3c0a8e,0x62950cbf,0x30f06ffa,0x34f710e0,0x28f417fb,0x350d2f95,0x5a361d5a,0x15cc060b,0xafd13cc,0x28603bcf,0x3371066b,0x30cd14e4,0x175d3a67,0x6dd66a13,0x2d3409f9,0x581e7b82,0x76526b99,0x5c8d5188,0x2c857971,0x15f51fc0,0x68cc0d11,0x49f55e5c,0x275e4364,0x2d1e0dbc,0x4cee7ce3,0x32555840,0x112e2e08,0x6978065a,0x72921406,0x314578e7,0x175621b7,0x40771dbf,0x3fc238d6,0x4a31128a,0x2dad036e,0x41a069d6,0x25400192,0xdd4667,0x6afc1f4f,0x571040ce,0x62fe66df,0x41db4b3e,0x3582231f,0x55f6079a,0x1ca70644,0x1b1643d2,0x3f7228c9,0x5f141070,0x3e1474ab,0x444b256e,0x537050d9,0xf42094b,0x2fd820e6,0x778b2e5e,0x71176d02,0x7fea7a69,0x5bb54628,0x19ba6c71,0x39763a99,0x178d54cd,0x1246e88,0x3313537e,0x2b8e2d17,0x2a3d10be,0x59d10582,0x37a163db,0x30d6489a,0x6a215c46,0xe1c7a76,0x1fc760e7,0x79b80c65,0x27f459b4,0x799a7326,0x50ba1782,0x2a116d5c,0x63866e1b,0x3f920e3c,0x55023490,0x55b56089,0x2c391fd1,0x2f8035c2,0x64fd2b7a,0x4ce8759a,0x518504f0,0x799501a8,0x3f5b2cad,0x38e60160,0x637641d8,0x33352a42,0x51a22c19,0x85c5851,0x32917ab,0x2b770ac7,0x30ac77b3,0x2bec1907,0x35202d0,0xfa933d3,0x61255df3,0x22ad06bf,0x58b86971,0x5fca0de5,0x700d6456,0x56a973db,0x5ab759fd,0x330e0be2,0x5b3c0ddd,0x495d3c60,0x53bd59a6,0x4c5e6d91,0x49d9318d,0x103d5079,0x61ce42e3,0x7ed5121d,0x14e160ed,0x212d4ef2,0x270133f0,0x62435a96,0x1fa75e8b,0x6f092fbe,0x4a000d49,0x57ae1c70,0x4e2477,0x561e7e72,0x468c0033,0x5dcc2402,0x78507ac6,0x58af24c7,0xdf62d34,0x358a4708,0x3cfb1e11,0x2b71451c,0x77a75295,0x56890721,0xfef75f3,0x120f24f1,0x1990ae7,0x339c4452,0x27a15b8e,0xba7276d,0x60dc1b7b,0x4f4b7f82,0x67db7007,0x4f4a57d9,0x621252e8,0x20532cfc,0x6a390306,0x18800423,0x19f3778a,0x462316f0,0x56ae0937,0x43c2675c,0x65ca45fd,0xd604ff2,0xbfd22cb,0x3afe643b,0x3bf67fa6,0x44623579,0x184031f8,0x32174f97,0x4c6a092a,0x5fb50261,0x1650174,0x33634af1,0x712d18f4,0x6e997169,0x5dab7afe,0x7c2b2ee8,0x6edb75b4,0x5f836fb6,0x3c2a6dd6,0x292d05c2,0x52244db,0x149a5f4f,0x5d486540,0x331d15ea,0x4f456920,0x483a699f,0x3b450f05,0x3b207c6c,0x749d70fe,0x417461f6,0x62b031f1,0x2750577b,0x29131533,0x588c3808,0x1aef3456,0xf3c00ec,0x7da74742,0x4b797a6c,0x5ebb3287,0x786558b8,0xed4ff2,0x6269691e,0x24a2255f,0x62c11f7e,0x2f8a7dcd,0x643b17fe,0x778318b8,0x253b60fe,0x34bb63a3,0x5b03214f,0x5f1571f4,0x1a316e9f,0x7acf2704,0x28896838,0x18614677,0x1bf569eb,0xba85ec9,0x6aca6b46,0x1e43422a,0x514d5f0e,0x413e018c,0x307626e9,0x1ed1dfa,0x49f46f5a,0x461b642b,0x7d7007f2,0x13652657,0x6b160bc5,0x65e04849,0x1f526e1c,0x5a0251b6,0x2bd73f69,0x2dbf7acd,0x51e63e80,0x5cf2670f,0x21cd0a03,0x5cff0261,0x33ae061e,0x3bb6345f,0x5d814a75,0x257b5df4,0xa5c2c5b,0x16a45527,0x16f23945,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0 };

void ReStrsToHexBytes(unsigned char* hb,  char* serial);
void BruteForce(char* user);

int main()
{
	char user[] = "";
	BruteForce(user);
    return 0;
}

void BruteForce(char* user)
{
    char serial[0x19] = { 0 };
    unsigned char hb[8] = { 0 };
    bool bGo = true;
    hb[3] = 0x9C;
    // 根据hb爆破serial,先找出符合条件的1,2,5,7下标对应的元素
    for(unsigned char i1 = 0;i1<0xFF && bGo;i1++)
        for (unsigned char i2 = 0; i2 < 0xFF && bGo; i2++)
            for (unsigned char i5 = 0; i5 < 0xFF && bGo; i5++)
                for (unsigned char i7 = 0; i7 < 0xFF && bGo; i7++)
                {
                    unsigned short v19 = (i5 ^ i2) + ((i1 ^ i7) << 8);
                    unsigned int v20 = Calc_1(v19);
                    if((v20-1)>=999)
                        continue;
                    unsigned int v25 = Calc_2(user, true, 0, v20);
                    char* a1 = reinterpret_cast<char*>(&v25);
                    if (i5 == a1[1]  && i7 == a1[3])
                    {
                        hb[1] = i1;
                        hb[2] = i2;
                        hb[4] = a1[0];
                        hb[5] = i5;
                        hb[6] = a1[2];
                        hb[7] = i7;
                        hb[0] = ReXor_1(0xF)^hb[6];
                        bGo = false;
                        break;
                    }
                }

    ReStrsToHexBytes(hb, serial);
    printf("UserName: %s\nSerial: %s\n",user,serial);
}   

void ReStrsToHexBytes(unsigned char* hb,  char* serial)
{
    serial[0] = ReCharToByte(hb[0] >> 4);
    serial[1] = ReCharToByte(hb[0] & 0xF);
	serial[2] = ReCharToByte(hb[1] >> 4);
	serial[3] = ReCharToByte(hb[1] & 0xF);
    serial[4] = '-';
	serial[5] = ReCharToByte(hb[2] >> 4);
	serial[6] = ReCharToByte(hb[2] & 0xF);
	serial[7] = ReCharToByte(hb[3] >> 4);
	serial[8] = ReCharToByte(hb[3] & 0xF);
	serial[9] = '-';
	serial[0xA] = ReCharToByte(hb[4] >> 4);
	serial[0xB] = ReCharToByte(hb[4] & 0xF);
	serial[0xC] = ReCharToByte(hb[5] >> 4);
	serial[0xD] = ReCharToByte(hb[5] & 0xF);
	serial[0xE] = '-';
	serial[0xF] = ReCharToByte(hb[6] >> 4);
	serial[0x10] = ReCharToByte(hb[6] & 0xF);
	serial[0x11] = ReCharToByte(hb[7] >> 4);
	serial[0x12] = ReCharToByte(hb[7] & 0xF);
}

由于没有网络验证,所以同一个用户名和序列号可无限使用。这里给出一组可用的用户名和序列号:

Username:Brucy

Serial:218o-1A9C-EA2E-5227

在这里插入图片描述

;