Reversing cutie-keygen实战破解教程
本帖最后由 ymgsk123 于 2017-5-22 09:52 编辑Reversing cutie-keygen实战破解教程
QT的Crack Me,试运行
界面标题 有个cutie KeyGen,找Main,懒得拖IDA了。
0x2 Main位于01381BF0,PS:自行注意偏移地址
0138190B|.6A 0C PUSH 0xC0138190D|.68 18B0C401 PUSH 01C4B018 ;cutie keygen
01381912|.FFD5 CALL EBP
01381914|.83C4 08 ADD ESP, 0x8
01381917|.894424 10 MOV DWORD PTR SS:, EAX
0138191B|.8D4424 10 LEA EAX, DWORD PTR SS:
0138191F|.C64424 68 07 MOV BYTE PTR SS:, 0x7
01381924|.50 PUSH EAX
01381925|.8D4C24 1C LEA ECX, DWORD PTR SS:
01381929|.FF15 A0413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::setTitle>] ;Qt5Gui.QWindow::setTitle
0138192F|.8D4C24 10 LEA ECX, DWORD PTR SS:
01381933|.C64424 68 04 MOV BYTE PTR SS:, 0x4
01381938|.FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>] ;Qt5Core.QXmlStreamStringRef::~QXmlStreamStringRef
0138193E|.8D4C24 18 LEA ECX, DWORD PTR SS:
01381942|.FF15 BC413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::show>] ;Qt5Gui.QWindow::show
01381948|.6A 00 PUSH 0x0
0138194A|.8D4C24 38 LEA ECX, DWORD PTR SS:
0138194E|.E8 9D020000 CALL 01381BF0找按钮派发事件
01382E80/[ DISCUZ_CODE_58 ]nbsp; 8B4424 08 MOV EAX, DWORD PTR SS:
01382E84|.83EC 08 SUB ESP, 0x8
01382E87|.85C0 TEST EAX, EAX
01382E89|.75 61 JNZ SHORT 01382EEC
01382E8B|.8B4424 14 MOV EAX, DWORD PTR SS:
01382E8F|.83E8 00 SUB EAX, 0x0 ;Switch (cases 0..1)
01382E92|.74 20 JE SHORT 01382EB4
01382E94|.48 DEC EAX
01382E95|.75 71 JNZ SHORT 01382F08
01382E97|.8B4424 18 MOV EAX, DWORD PTR SS: ;Case 1 of switch 01382E8F
01382E9B|.51 PUSH ECX
01382E9C|.8BCC MOV ECX, ESP
01382E9E|.FF70 04 PUSH DWORD PTR DS:
01382EA1|.FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ;Qt5Core.QString::QString
01382EA7|.8B4C24 10 MOV ECX, DWORD PTR SS: ; |
01382EAB|.E8 E0F5FFFF CALL 01382490 ; \win-crac.01382490
01382EB0|.83C4 08 ADD ESP, 0x8
01382EB3|.C3 RETN跟进来后
01382EAB|.E8 E0F5FFFF CALL 01382490 ; \win-crac.01382490这里是字符串消息记录调试
013825AA|.E8 A1F7FFFF CALL 01381D50 ; \win-crac.01381D50013825AF|.84C0 TEST AL, AL
013825B1|.8D4C24 38 LEA ECX, DWORD PTR SS:
013825B5|.8D4424 18 LEA EAX, DWORD PTR SS:
013825B9|.50 PUSH EAX
013825BA|.6A 00 PUSH 0x0
013825BC|.6A 00 PUSH 0x0
013825BE|.6A 00 PUSH 0x0
013825C0 74 2B JE SHORT 013825ED
013825C2|.FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>;Qt5Core.QMessageLogger::QMessageLogger
013825C8|.8BC8 MOV ECX, EAX
013825CA|.FFD5 CALL EBP
013825CC|.68 B4B0C401 PUSH 01C4B0B4 ;YES!
013825D1|.8BC8 MOV ECX, EAX
013825D3|.C64424 58 03 MOV BYTE PTR SS:, 0x3
013825D8|.FF15 1C413801 CALL DWORD PTR DS:[<&Qt5Core.QDebug::operator<<>] ;Qt5Core.QDebug::operator<<
013825DE|.8D4C24 18 LEA ECX, DWORD PTR SS:
013825E2|.C64424 54 01 MOV BYTE PTR SS:, 0x1
013825E7|.FFD7 CALL EDI
013825E9|.6A 00 PUSH 0x0
013825EB|.EB 29 JMP SHORT 01382616
013825ED|>FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>;Qt5Core.QMessageLogger::QMessageLogger
013825F3|.8BC8 MOV ECX, EAX
013825F5|.FFD5 CALL EBP
013825F7|.68 BCB0C401 PUSH 01C4B0BC ;NOPE :(
爆破的话 013825C0
013825AA|.E8 A1F7FFFF CALL 01381D50 ; \win-crac.01381D5001381DB3|.FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ;Qt5Core.QString::QString
01381DB9|.8BCB MOV ECX, EBX ; |
01381DBB|.E8 E0000000 CALL 01381EA0 ; \win-crac.01381EA0
01381DC0|.50 PUSH EAX
01381DC1|.8D8C24 2C010000 LEA ECX, DWORD PTR SS:
01381DC8|.FF15 3C413801 CALL DWORD PTR DS:[<&Qt5Core.QString::operator=>] ;Qt5Core.QString::operator=
01381DCE|.51 PUSH ECX
01381DXF|.8D8424 2C010000 LEA EAX, DWORD PTR SS:
01381DD6|.8BCC MOV ECX, ESP
01381DD8|.50 PUSH EAX
01381DD9|.FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ;Qt5Core.QString::QString
01381DDF|.8BCB MOV ECX, EBX
01381DE1|.E8 7A080000 CALL 0138266001381DB3PassWord 01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord0x5 初始化算法跟进Main CALL 01381BF0 01381C32|.E8 69030000 CALL 01381FA0算法
加密的关键,块加密算法,初始化的数据
0138221B|.C78424 90000000 DF90BC70 MOV DWORD PTR SS:, 0x70BC90DF
01382226|.C78424 94000000 57EF965A MOV DWORD PTR SS:, 0x5A96EF57
01382231|.C78424 98000000 EEXF0955 MOV DWORD PTR SS:, 0x5509XFEE
0138223C|.C78424 9C000000 CE80200D MOV DWORD PTR SS:, 0xD2080CE
01382247|.C78424 A0000000 4FE10E07 MOV DWORD PTR SS:, 0x70EE14F
01382252|.C78424 A4000000 46A4C62F MOV DWORD PTR SS:, 0x2FC6A446
0138225D|.C78424 A8000000 F0EC5553 MOV DWORD PTR SS:, 0x5355EXF0
01382268|.C78424 AC000000 2B785764 MOV DWORD PTR SS:, 0x6457782B用了一对64的块,并且每个都使用了个64的密钥并且看关键的地方是不是一个字符或单个数据块,然后这些数值在初始化的时候就被利用 013822B8|.C747 18 3A0E0F88 MOV DWORD PTR DS:, 0x880F0E3A
013822BF|.C747 1C AF56D816 MOV DWORD PTR DS:, 0x16D856AF
013822C6|.C747 20 10F38F05 MOV DWORD PTR DS:, 0x58FF310
013822CD|.C747 24 7C36E8D8 MOV DWORD PTR DS:, 0xD8E8367C再看这里01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord
这里是16个字节的第一块地方,然后同一段代码来处理最后16个字节,其次逆变换在最小尾数013829C0 > /33C0 XOR EAX, EAX
013829C2 . |8BCA MOV ECX, EDX
013829C4 . |0FACEA 08 SHRD EDX, EBP, 0x8
013829C8 . |C1E1 18 SHL ECX, 0x18
013829CB . |C1ED 08 SHR EBP, 0x8
013829CE . |0BD0 OR EDX, EAX
013829D0 . |0BE9 OR EBP, ECX
013829D2 . |03D3 ADD EDX, EBX
013829D4 . |8BCE MOV ECX, ESI
013829D6 . |13EE ADC EBP, ESI
013829D8 . |C1E9 1D SHR ECX, 0x1D
013829DB . |336C24 58 XOR EBP, DWORD PTR SS:
013829DF . |33D7 XOR EDX, EDI
013829E1 . |0FA4DE 03 SHLD ESI, EBX, 0x3
013829E5 . |896C24 3C MOV DWORD PTR SS:, EBP
013829E9 . |0BF0 OR ESI, EAX
013829EB . |896C24 7C MOV DWORD PTR SS:, EBP
013829EF . |33F5 XOR ESI, EBP
013829F1 . |C1E3 03 SHL EBX, 0x3
013829F4 . |8B6C24 5C MOV EBP, DWORD PTR SS:
013829F8 . |0BD9 OR EBX, ECX
013829FA . |8B4C24 1C MOV ECX, DWORD PTR SS:
013829FE . |33DA XOR EBX, EDX
01382A00 . |0FAC6C24 1C 08 SHRD DWORD PTR SS:, EBP, 0x8
01382A06 . |0B4424 1C OR EAX, DWORD PTR SS:
01382A0A . |C1E1 18 SHL ECX, 0x18
01382A0D . |C1ED 08 SHR EBP, 0x8
01382A10 . |0BCD OR ECX, EBP
01382A12 . |895424 78 MOV DWORD PTR SS:, EDX
01382A16 . |8B6C24 58 MOV EBP, DWORD PTR SS:
01382A1A . |03C7 ADD EAX, EDI
01382A1C . |897424 74 MOV DWORD PTR SS:, ESI
01382A20 . |13CD ADC ECX, EBP
01382A22 . |334424 24 XOR EAX, DWORD PTR SS:
01382A26 . |334C24 14 XOR ECX, DWORD PTR SS:
01382A2A . |894424 1C MOV DWORD PTR SS:, EAX
01382A2E . |33C0 XOR EAX, EAX
01382A30 . |894C24 5C MOV DWORD PTR SS:, ECX
01382A34 . |8BCD MOV ECX, EBP
01382A36 . |0FA4FD 03 SHLD EBP, EDI, 0x3
01382A3A . |C1E9 1D SHR ECX, 0x1D
01382A3D . |0BC5 OR EAX, EBP
01382A3F . |C1E7 03 SHL EDI, 0x3
01382A42 . |334424 5C XOR EAX, DWORD PTR SS:
01382A46 . |0BF9 OR EDI, ECX
01382A48 . |337C24 1C XOR EDI, DWORD PTR SS:
01382A4C . |8B6C24 3C MOV EBP, DWORD PTR SS:
01382A50 . |894424 58 MOV DWORD PTR SS:, EAX
01382A54 . |8B4424 24 MOV EAX, DWORD PTR SS:
01382A58 . |83C0 01 ADD EAX, 0x1
01382A5B . |894424 24 MOV DWORD PTR SS:, EAX
01382A5F . |835424 14 00 ADC DWORD PTR SS:, 0x0
01382A64 . |75 09 JNZ SHORT 01382A6F
01382A66 . |83F8 20 CMP EAX, 0x20
01382A69 .^\0F82 51FFFFFF JB 013829C0013829D0 .0BE9 OR EBP, ECX ;s0 = ror(s0, 8)013829D6 .13EE ADC EBP, ESI ;s0 = s0 + s1013829DF .33D7 XOR EDX, EDI ;s0 = s0 ^ x0013829F8 .0BD9 OR EBX, ECX ; s1 = rol(s1, 3)013829FE .33DA XOR EBX, EDX ;s1 = s1 ^ s001382A10 .0BCD OR ECX, EBP ;x1 = ror(x1, 8)01382A20 .13CD ADC ECX, EBP ;x1 = x1 + x001382A26 .334C24 14 XOR ECX, DWORD PTR SS: ;x1 = x1 ^ i01382A46 .0BF9 OR EDI, ECX ;x0 = rol(x0, 3)01382A48 .337C24 1C XOR EDI, DWORD PTR SS: ;x0 = x0 ^ x101382A5F .835424 14 00 ADC DWORD PTR SS:, 0x0 ;i = i + 1
C747 18 3A0E0F88 MOV DWORD PTR DS:, 0x880F0E3A013822BF|.C747 1C AF56D816 MOV DWORD PTR DS:, 0x16D856AF013822C6|.C747 20 10F38F05 MOV DWORD PTR DS:, 0x58FF310013822CD|.C747 24 7C36E8D8 MOV DWORD PTR DS:, 0xD8E8367Cdef en_cry(HexData):
s0, s1 = HexData
x0 = 0xD8E8367C058FF310
x1 = 0x16D856AF880F0E3A
for i in xrange(32):
s0 = add(ror(s0, 8), s1) ^ x0
x1 = add(ror(x1, 8), x0) ^ i
s1 = rol(s1, 3) ^ s0
x0 = rol(x0, 3) ^ x1
return s0, s1
def encrypt(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(en_cry(HexData))
return res
def encrypt_passwd(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = encrypt(l)
l = unpack('>16H', pack('>4Q', *l)) return l 加密密钥与阵列块01381E11|> \FF73 08 PUSH DWORD PTR DS:
01381E14|.8D4424 18 LEA EAX, DWORD PTR SS:
01381E18|.50 PUSH EAX
01381E19|.8D8424 9C000000 LEA EAX, DWORD PTR SS:
01381E20|.50 PUSH EAX
01381E21|.E8 0AFXFFFF CALL 01381A30
01381E26|.8BF0 MOV ESI, EAX
01381E28|.B9 20000000 MOV ECX, 0x20
01381E2D|.F3:A5 REP MOVS DWORD PTR ES:, DWORD PTR DS:
01381E2F|.83C4 0C ADD ESP, 0xC
01381E32|.8D7C24 14 LEA EDI, DWORD PTR SS:
01381E36|.8BF0 MOV ESI, EAX
01381E38|.B9 20000000 MOV ECX, 0x20
01381E3D|.F3:A5 REP MOVS DWORD PTR ES:, DWORD PTR DS:
01381E3F|.FF73 0C PUSH DWORD PTR DS:
01381E42|.8D4C24 18 LEA ECX, DWORD PTR SS:
01381E46|.E8 05FEFFFF CALL 01381C50
01381E4B|.84C0 TEST AL, AL
01381E4D|.75 04 JNZ SHORT 01381E53
01381E4F|.B3 01 MOV BL, 0x1
01381E51|.EB 02 JMP SHORT 01381E55
01381E53|>32DB XOR BL, BL
01381E55|>8D8C24 28010000 LEA ECX, DWORD PTR SS:
01381E5C|.C78424 20010000 FFFFFFFF MOV DWORD PTR SS:, -0x1
01381E67|.FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>] ;Qt5Core.QXmlStreamStringRef::~QXmlStreamStringRef这里基于密钥与阵列,然后创造我们的Key与基准数据进行比较。01381FBE|.C74424 10 80130000 MOV DWORD PTR SS:, 0x1380
01381FC6|.C74424 14 00000000 MOV DWORD PTR SS:, 0x0
01381FCE|.C74424 18 E4040000 MOV DWORD PTR SS:, 0x4E4
01381FD6|.C74424 1C 00000000 MOV DWORD PTR SS:, 0x0
01381FDE|.C74424 20 09270000 MOV DWORD PTR SS:, 0x2709
01381FE6|.C74424 24 00000000 MOV DWORD PTR SS:, 0x0
01381FEE|.C74424 28 35200000 MOV DWORD PTR SS:, 0x2035
01381FF6|.C74424 2C 00000000 MOV DWORD PTR SS:, 0x0
01381FFE|.C74424 30 FA250000 MOV DWORD PTR SS:, 0x25FA
01382006|.C74424 34 00000000 MOV DWORD PTR SS:, 0x0
0138200E|.C74424 38 DA560000 MOV DWORD PTR SS:, 0x56DA
01382016|.C74424 3C 00000000 MOV DWORD PTR SS:, 0x0
0138201E|.C74424 40 03010000 MOV DWORD PTR SS:, 0x103
01382026|.C74424 44 00000000 MOV DWORD PTR SS:, 0x0
0138202E|.C74424 48 31150000 MOV DWORD PTR SS:, 0x1531
01382036|.C74424 4C 00000000 MOV DWORD PTR SS:, 0x0
0138203E|.C74424 50 AA0C0000 MOV DWORD PTR SS:, 0xCAA
01382046|.C74424 54 00000000 MOV DWORD PTR SS:, 0x0
0138204E|.C74424 58 611A0000 MOV DWORD PTR SS:, 0x1A61
01382056|.C74424 5C 00000000 MOV DWORD PTR SS:, 0x0
0138205E|.C74424 60 070E0000 MOV DWORD PTR SS:, 0xE07
01382066|.C74424 64 00000000 MOV DWORD PTR SS:, 0x0
0138206E|.C74424 68 20000000 MOV DWORD PTR SS:, 0x20
01382076|.C74424 6C 00000000 MOV DWORD PTR SS:, 0x0
0138207E|.C74424 70 E2000000 MOV DWORD PTR SS:, 0xE2
01382086|.C74424 74 00000000 MOV DWORD PTR SS:, 0x0
0138208E|.C74424 78 3F120000 MOV DWORD PTR SS:, 0x123F
01382096|.C74424 7C 00000000 MOV DWORD PTR SS:, 0x0
0138209E|.C78424 80000000 C0000000 MOV DWORD PTR SS:, 0xC0
013820A9|.C78424 84000000 00000000 MOV DWORD PTR SS:, 0x0
013820B4|.C78424 88000000 C70D0000 MOV DWORD PTR SS:, 0xDC7
013820BF|.C78424 8C000000 00000000 MOV DWORD PTR SS:, 0x0这里有16个数据块的阵列,我们可以先表示位为4×4的矩阵,它在开始时就被初始化,以及另一个常数数据矩阵相乘。
如果是相等的,输入的Key就是有效的。
013820EE|.C74424 10 6AC26F14 MOV DWORD PTR SS:, 0x146FC26A
013820F6|.C74424 14 00000000 MOV DWORD PTR SS:, 0x0
013820FE|.C74424 18 9A013424 MOV DWORD PTR SS:, 0x2434019A
01382106|.C74424 1C 00000000 MOV DWORD PTR SS:, 0x0
0138210E|.C74424 20 4E96B216 MOV DWORD PTR SS:, 0x16B2964E
01382116|.C74424 24 00000000 MOV DWORD PTR SS:, 0x0
0138211E|.C74424 28 64C1FC1D MOV DWORD PTR SS:, 0x1DFCC164
01382126|.C74424 2C 00000000 MOV DWORD PTR SS:, 0x0
0138212E|.C74424 30 046B7610 MOV DWORD PTR SS:, 0x10766B04
01382136|.C74424 34 00000000 MOV DWORD PTR SS:, 0x0
0138213E|.C74424 38 9DE9671F MOV DWORD PTR SS:, 0x1F67E99D
01382146|.C74424 3C 00000000 MOV DWORD PTR SS:, 0x0
0138214E|.C74424 40 02589013 MOV DWORD PTR SS:, 0x13905802
01382156|.C74424 44 00000000 MOV DWORD PTR SS:, 0x0
0138215E|.C74424 48 A39DA914 MOV DWORD PTR SS:, 0x14A99DA3
01382166|.C74424 4C 00000000 MOV DWORD PTR SS:, 0x0
0138216E|.C74424 50 6CCEE52A MOV DWORD PTR SS:, 0x2AE5CE6C
01382176|.C74424 54 00000000 MOV DWORD PTR SS:, 0x0
0138217E|.C74424 58 7FAA4840 MOV DWORD PTR SS:, 0x4048AA7F
01382186|.C74424 5C 00000000 MOV DWORD PTR SS:, 0x0
0138218E|.C74424 60 5F9BXF33 MOV DWORD PTR SS:, 0x33XF9B5F
01382196|.C74424 64 00000000 MOV DWORD PTR SS:, 0x0
0138219E|.C74424 68 6216102C MOV DWORD PTR SS:, 0x2C101662
013821A6|.C74424 6C 00000000 MOV DWORD PTR SS:, 0x0
013821AE|.C74424 70 E4FXF52D MOV DWORD PTR SS:, 0x2DF5FCE4
013821B6|.C74424 74 00000000 MOV DWORD PTR SS:, 0x0
013821BE|.C74424 78 4CC7264C MOV DWORD PTR SS:, 0x4C26C74C
013821C6|.C74424 7C 00000000 MOV DWORD PTR SS:, 0x0
013821CE|.C78424 80000000 0F98D52C MOV DWORD PTR SS:, 0x2CD5980F
013821D9|.C78424 84000000 00000000 MOV DWORD PTR SS:, 0x0
013821E4|.C78424 88000000 DBDEA92B MOV DWORD PTR SS:, 0x2BA9DEDB
013821EF|.C78424 8C000000 00000000 MOV DWORD PTR SS:, 0x0Python
def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B * A +
B * A +
B * A +
B * A == R
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model].as_long())
else:
print 'Oops'
return r编写脚本进行解密,经过测试还需要正确排列解密密钥的顺序。测试后
def De_cry(HexData):
s0, s1 = HexData
x0 = 0x0A728E203850A80E
x1 = 0x1B8E2679CCAEF6B4
for i in xrange(32):
x0 = ror(x0 ^ x1, 3)
s1 = ror(s1 ^ s0, 3)
x1 = rol(sub(x1 ^ (31 - i), x0), 8)
s0 = rol(sub(s0 ^ x0, s1), 8)
return s0, s1
def De(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(De_cry(HexData))
return res
def De_PassWord(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = De(l)
l = unpack('>16H', pack('>4Q', *l)) return lDone
A = [0x1380, 0x4E4, 0x2709, 0x2035, 0x25FA, 0x56DA, 0x103, 0x1531,
0x0CAA, 0x1A61, 0x0E07, 0x20, 0x0E2, 0x123F, 0x0C0, 0x0DC7]
R = [0x146FC26A, 0x2434019A, 0x16B2964E, 0x1DFCC164,
0x10766B04, 0x1F67E99D, 0x13905802, 0x14A99DA3,
0x2AE5CE6C, 0x4048AA7F, 0x33XF9B5F, 0x2C101662,
0x2DF5FCE4, 0x4C26C74C, 0x2CD5980F, 0x2BA9DEDB,]
xor_key = [0x90DF, 0x70BC, 0x0EF57, 0x5A96, 0x0XFEE, 0x5509, 0x80CE, 0x0D20,
0x0E14F, 0x70E, 0x0A446, 0x2FC6, 0x0EXF0, 0x5355, 0x782B, 0x6457]
def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B * A +
B * A +
B * A +
B * A == R
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model].as_long())
else:
print 'Oops'
return r
def ror(n, c, bits=64):
mask = (1 << bits) - 1
return ((n >> c) | (n << (bits - c))) & mask
def rol(n, c, bits=64):
return ror(n, bits - c, bits)
def sub(n, c, bits=64):
mask = (1 << bits) - 1
return (n - c) & mask
def xor_passwd(passwd):
l = * 16
for i in xrange(16):
l = passwd ^ xor_key
return l
def De_cry(HexData):
s0, s1 = HexData
x0 = 0x0A728E203850A80E
x1 = 0x1B8E2679CCAEF6B4
for i in xrange(32):
x0 = ror(x0 ^ x1, 3)
s1 = ror(s1 ^ s0, 3)
x1 = rol(sub(x1 ^ (31 - i), x0), 8)
s0 = rol(sub(s0 ^ x0, s1), 8)
return s0, s1
def De(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(De_cry(HexData))
return res
def De_PassWord(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = De(l)
l = unpack('>16H', pack('>4Q', *l))
return l
passwd = Fuck()
passwd = De_PassWord(passwd)
passwd = xor_passwd(passwd)
print(''.join(map(chr, passwd)))下载地址
https://www.crack.vc/index.php?dir=Exercise/&file=cutie-keygen.zip
页:
[1]