|
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?注册
×
routeros 3.0 它的7位序列号生成算法是根据硬盘的序列号信息和硬盘mbr第256字节处的信息综合后,产生序列号。
所以当时利用这个漏洞(实际上就是crc32碰撞),穷举mbr的信息,产生指定的序列号。然后用这个序列号的注册码就可以注册了。当时的算号器在:
http://bbs.routerclub.com/thread-42847-1-1.html
以下代码使用vc编译。
运行结果大概是这样:
序列号是: 798Y-K0N, 关键特征码是: 70df46f671d4092f2175aeb1
序列号是: Q8C4-1AN, 关键特征码是: f4134cea72d4092f21752389
序列号是: AK73-PET, 关键特征码是: c8b046f275d4092f217552e4 - // test.cpp : Defines the entry point for the console application.
- //
- #include "stdafx.h"
- #include "stdio.h"
- #include "stdlib.h"
- #include "string.h"
- #include "windows.h"
- #include "omp.h"
- char sn[9];
- unsigned char dev[]="/dev/hdb";
- char aTn0byx18s5hz4i[]="TN0BYX18S5HZ4IA67DGF3LPCJQRUK9MW2VE";
- DWORD dword_804E4E0[1024];
- char byte_804E4C0;
- unsigned char mbrinfo[512];
- #define TINY_BLOCK_COPY 64 // upper limit for movsd type copy
- #define IN_CACHE_COPY 64 * 1024 // upper limit for movq/movq copy w/SW prefetch
- #define UNCACHED_COPY 197 * 1024 // upper limit for movq/movntq w/SW prefetch
- //#define BLOCK_PREFETCH_COPY infinity // no limit for movq/movntq w/block prefetch
- #define CACHEBLOCK 80h // number of 64-byte blocks (cache lines) for block prefetch
- unsigned char hdinfo[512];
- void * memcpy2(void *dest, const void *src, size_t n)
- {
- __asm {
- mov ecx, [n] ; number of bytes to copy
- mov edi, [dest] ; destination
- mov esi, [src] ; source
- mov ebx, ecx ; keep a copy of count
- cld
- cmp ecx, TINY_BLOCK_COPY
- jb $memcpy_ic_3 ; tiny? skip mmx copy
- cmp ecx, 32*1024 ; don't align between 32k-64k because
- jbe $memcpy_do_align ; it appears to be slower
- cmp ecx, 64*1024
- jbe $memcpy_align_done
- $memcpy_do_align:
- mov ecx, 8 ; a trick that's faster than rep movsb...
- sub ecx, edi ; align destination to qword
- and ecx, 111b ; get the low bits
- sub ebx, ecx ; update copy count
- neg ecx ; set up to jump into the array
- add ecx, offset $memcpy_align_done
- jmp ecx ; jump to array of movsb's
- align 4
- movsb
- movsb
- movsb
- movsb
- movsb
- movsb
- movsb
- movsb
- $memcpy_align_done: ; destination is dword aligned
- mov ecx, ebx ; number of bytes left to copy
- shr ecx, 6 ; get 64-byte block count
- jz $memcpy_ic_2 ; finish the last few bytes
- cmp ecx, IN_CACHE_COPY/64 ; too big 4 cache? use uncached copy
- jae $memcpy_uc_test
- // This is small block copy that uses the MMX registers to copy 8 bytes
- // at a time. It uses the "unrolled loop" optimization, and also uses
- // the software prefetch instruction to get the data into the cache.
- align 16
- $memcpy_ic_1: ; 64-byte block copies, in-cache copy
- prefetchnta [esi + (200*64/34+192)] ; start reading ahead
- movq mm0, [esi+0] ; read 64 bits
- movq mm1, [esi+8]
- movq [edi+0], mm0 ; write 64 bits
- movq [edi+8], mm1 ; note: the normal movq writes the
- movq mm2, [esi+16] ; data to cache; a cache line will be
- movq mm3, [esi+24] ; allocated as needed, to store the data
- movq [edi+16], mm2
- movq [edi+24], mm3
- movq mm0, [esi+32]
- movq mm1, [esi+40]
- movq [edi+32], mm0
- movq [edi+40], mm1
- movq mm2, [esi+48]
- movq mm3, [esi+56]
- movq [edi+48], mm2
- movq [edi+56], mm3
- add esi, 64 ; update source pointer
- add edi, 64 ; update destination pointer
- dec ecx ; count down
- jnz $memcpy_ic_1 ; last 64-byte block?
- $memcpy_ic_2:
- mov ecx, ebx ; has valid low 6 bits of the byte count
- $memcpy_ic_3:
- shr ecx, 2 ; dword count
- and ecx, 1111b ; only look at the "remainder" bits
- neg ecx ; set up to jump into the array
- add ecx, offset $memcpy_last_few
- jmp ecx ; jump to array of movsd's
- $memcpy_uc_test:
- cmp ecx, UNCACHED_COPY/64 ; big enough? use block prefetch copy
- jae $memcpy_bp_1
- $memcpy_64_test:
- or ecx, ecx ; tail end of block prefetch will jump here
- jz $memcpy_ic_2 ; no more 64-byte blocks left
- // For larger blocks, which will spill beyond the cache, it's faster to
- // use the Streaming Store instruction MOVNTQ. This write instruction
- // bypasses the cache and writes straight to main memory. This code also
- // uses the software prefetch instruction to pre-read the data.
- align 16
- $memcpy_uc_1: ; 64-byte blocks, uncached copy
- prefetchnta [esi + (200*64/34+192)] ; start reading ahead
- movq mm0,[esi+0] ; read 64 bits
- add edi,64 ; update destination pointer
- movq mm1,[esi+8]
- add esi,64 ; update source pointer
- movq mm2,[esi-48]
- movntq [edi-64], mm0 ; write 64 bits, bypassing the cache
- movq mm0,[esi-40] ; note: movntq also prevents the CPU
- movntq [edi-56], mm1 ; from READING the destination address
- movq mm1,[esi-32] ; into the cache, only to be over-written
- movntq [edi-48], mm2 ; so that also helps performance
- movq mm2,[esi-24]
- movntq [edi-40], mm0
- movq mm0,[esi-16]
- movntq [edi-32], mm1
- movq mm1,[esi-8]
- movntq [edi-24], mm2
- movntq [edi-16], mm0
- dec ecx
- movntq [edi-8], mm1
- jnz $memcpy_uc_1 ; last 64-byte block?
- jmp $memcpy_ic_2 ; almost done
- // For the largest size blocks, a special technique called Block Prefetch
- // can be used to accelerate the read operations. Block Prefetch reads
- // one address per cache line, for a series of cache lines, in a short loop.
- // This is faster than using software prefetch, in this case.
- // The technique is great for getting maximum read bandwidth,
- // especially in DDR memory systems.
- $memcpy_bp_1: ; large blocks, block prefetch copy
- cmp ecx, CACHEBLOCK ; big enough to run another prefetch loop?
- jl $memcpy_64_test ; no, back to regular uncached copy
- mov eax, CACHEBLOCK / 2 ; block prefetch loop, unrolled 2X
- add esi, CACHEBLOCK * 64 ; move to the top of the block
- align 16
- $memcpy_bp_2:
- mov edx, [esi-64] ; grab one address per cache line
- mov edx, [esi-128] ; grab one address per cache line
- sub esi, 128 ; go reverse order
- dec eax ; count down the cache lines
- jnz $memcpy_bp_2 ; keep grabbing more lines into cache
- mov eax, CACHEBLOCK ; now that it's in cache, do the copy
- align 16
- $memcpy_bp_3:
- movq mm0, [esi ] ; read 64 bits
- movq mm1, [esi+ 8]
- movq mm2, [esi+16]
- movq mm3, [esi+24]
- movq mm4, [esi+32]
- movq mm5, [esi+40]
- movq mm6, [esi+48]
- movq mm7, [esi+56]
- add esi, 64 ; update source pointer
- movntq [edi ], mm0 ; write 64 bits, bypassing cache
- movntq [edi+ 8], mm1 ; note: movntq also prevents the CPU
- movntq [edi+16], mm2 ; from READING the destination address
- movntq [edi+24], mm3 ; into the cache, only to be over-written,
- movntq [edi+32], mm4 ; so that also helps performance
- movntq [edi+40], mm5
- movntq [edi+48], mm6
- movntq [edi+56], mm7
- add edi, 64 ; update dest pointer
- dec eax ; count down
- jnz $memcpy_bp_3 ; keep copying
- sub ecx, CACHEBLOCK ; update the 64-byte block count
- jmp $memcpy_bp_1 ; keep processing chunks
- // The smallest copy uses the X86 "movsd" instruction, in an optimized
- // form which is an "unrolled loop". Then it handles the last few bytes.
- align 4
- movsd
- movsd ; perform last 1-15 dword copies
- movsd
- movsd
- movsd
- movsd
- movsd
- movsd
- movsd
- movsd ; perform last 1-7 dword copies
- movsd
- movsd
- movsd
- movsd
- movsd
- movsd
- $memcpy_last_few: ; dword aligned from before movsd's
- mov ecx, ebx ; has valid low 2 bits of the byte count
- and ecx, 11b ; the last few cows must come home
- jz $memcpy_final ; no more, let's leave
- rep movsb ; the last 1, 2, or 3 bytes
- $memcpy_final:
- emms ; clean up the MMX state
- sfence ; flush the write buffer
- mov eax, [dest] ; ret value = destination pointer
- }
- }
- __declspec(naked) void test(unsigned char * dev,unsigned char * mbrinfo,char * sn){
- __asm
- {
- push ebp
- mov ebp, esp
- push ebx
- push eax
- //push esi
- //push edi
- mov ebx, [ebp+16]
- mov eax, [ebp+8]
- mov edx, [ebp+12]
- mov dword ptr [ebp-8], 0
- lea ecx, [ebp-8]
- mov byte ptr [ebx], 0
- call sub_804B7CC ; 取硬盘参数
- test al, al
- jz short loc_804C3E9
- push 9
- push ebx ; 计算出来的序列号
- xor edx, edx
- push edx ; 需要穷举的信息
- mov eax, [ebp-8]
- push eax ; 硬盘硬件信息
- push offset aTn0byx18s5hz4i ; "TN0BYX18S5HZ4IA67DGF3LPCJQRUK9MW2VE"
- call sub_8049FD8 ; 开始计算序列号
- add esp, 14h
- loc_804C3E9: ; CODE XREF: sub_804C3AE+22.j
- //pop edi
- //pop esi
- mov eax, [ebp-8]
- mov ebx, [ebp-4]
- leave
- retn
- sub_804B7CC:
- push ebp
- mov ebp, esp
- push edi
- push esi
- push ebx
- sub esp, 274h
- mov edi, edx
- mov [ebp-280h], ecx
- lea ebx, [ebp-20ch]
- push 512
- push offset hdinfo
- push ebx ; void *
- call memcpy
- add esp, 12
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- ; CODE XREF: sub_804B7CC+4F.j
-
- lea ebx, [edi+100h]
- lea esi, [ebp-22ch]
- xor ecx, ecx
- loc_804B849: ; CODE XREF: sub_804B7CC+9F.j
- mov eax, ecx
- shr eax, 1
- mov dl, [ebx+eax]
- mov al, dl
- shr al, 4
- and edx, 0Fh
- add eax, 30h
- add edx, 30h
- mov [esi+ecx], al
- mov [esi+ecx+1], dl
- add ecx, 2
- cmp ecx, 13h
- jbe short loc_804B849
- lea esi, [ebp-22ch]
- lea ebx, [ebp-1f8h]
- mov ecx, 13h
- loc_804B87E: ; CODE XREF: sub_804B7CC+BB.j
- mov edx, ebx
- mov al, [esi]
- inc ebx
- inc esi
- xor [edx], al
- dec ecx
- jns short loc_804B87E
- mov ax, word ptr [ebp-20ch+2]
- push 22h ; size_t
- mov word ptr [ebp-27ch], ax
- lea eax, [ebp-206h]
- push eax ; void *
- lea edx, [ebp-27ch+2]
- push edx ; void *
- call memcpy
- push 28h ; size_t
- lea eax, [ebp-1d6h]
- push eax ; void *
- lea edx, [ebp-258h]
- push edx ; void *
- call memcpy
- mov al, [ebp-1adh]
- mov [ebp-230h], al
- mov al, [ebp-1aah]
- mov [ebp-22fh], al
- mov al, [ebp-1a6h]
- mov [ebp-22eh], al
- add esp, 18h
- mov al, [ebp-1a4h]
- cmp ds:byte_804E4C0, 0
- mov [ebp-22dh], al
- lea ebx, [ebp-27ch]
- jnz short loc_804B935
- xor ecx, ecx
- loc_804B905: ; CODE XREF: sub_804B7CC+160.j
- mov eax, ecx
- mov edx, 7
- loc_804B90C: ; CODE XREF: sub_804B7CC+150.j
- test al, 1
- jz short loc_804B919
- shr eax, 1
- xor eax, 0EDB88320h
- jmp short loc_804B91B
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- loc_804B919: ; CODE XREF: sub_804B7CC+142.j
- shr eax, 1
- loc_804B91B: ; CODE XREF: sub_804B7CC+14B.j
- dec edx
- jns short loc_804B90C
- mov ds:dword_804E4E0[ecx*4], eax
- inc ecx
- cmp ecx, 0FFh
- jbe short loc_804B905
- mov ds:byte_804E4C0, 1
- loc_804B935: ; CODE XREF: sub_804B7CC+135.j
- or edx, 0FFFFFFFFh
- xor ecx, ecx
- loc_804B93A: ; CODE XREF: sub_804B7CC+184.j
- mov al, [ebx+ecx]
- xor eax, edx
- movzx eax, al
- shr edx, 8
- inc ecx
- xor edx, ds:dword_804E4E0[eax*4]
- cmp ecx, 50h
- jb short loc_804B93A
- mov eax, [ebp-280h]
- not edx
- mov [eax], edx
- mov eax, 1
- ; CODE XREF: sub_804B7CC+25.j
- ; sub_804B7CC+63.j
- lea esp, [ebp-0Ch]
- pop ebx
- pop esi
- pop edi
- pop ebp
- retn
- sub_8049FD8:
- push ebp
- mov ebp, esp
- push edi
- push esi
- xor edi, edi
- cmp [ebp+18h], 1
- push ebx
- mov esi, [ebp+16]
- mov ebx, [ebp+12]
- jz short loc_804A036
- loc_8049FEC: ; CODE XREF: sub_8049FD8+5C.j
- test edi, edi
- jz short loc_804A001
- test edi, 3
- jnz short loc_804A001
- mov eax, [ebp+14h]
- mov byte ptr [eax+edi], 2Dh
- jmp short loc_804A02D
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- loc_804A001: ; CODE XREF: sub_8049FD8+16.j
- ; sub_8049FD8+1E.j
- push 0
- push 23h
- push esi
- push ebx
- call sub_804D220
- mov edx, [ebp+8]
- mov al, [edx+eax]
- add esp, 10h
- mov edx, [ebp+14h]
- mov [edx+edi], al
- push 0
- push 23h
- push esi
- push ebx
- call sub_804D0D0
- mov ebx, eax
- add esp, 10h
- mov esi, edx
- loc_804A02D: ; CODE XREF: sub_8049FD8+27.j
- mov eax, [ebp+18h]
- inc edi
- dec eax
- cmp edi, eax
- jb short loc_8049FEC
- loc_804A036: ; CODE XREF: sub_8049FD8+12.j
- mov eax, [ebp+14h]
- mov edx, [ebp+18h]
- mov byte ptr [eax+edx-1], 0
- lea esp, [ebp-0Ch]
- pop ebx
- pop esi
- pop edi
- pop ebp
- retn
- sub_804D220:
- push ebp
- mov ebp, esp
- push edi
- push esi
- sub esp, 30h
- mov edx, [ebp+14h]
- mov eax, [ebp+16]
- mov edi, edx
- lea ecx, [ebp-10h]
- mov esi, eax
- mov edx, [ebp+12]
- mov eax, [ebp+8]
- test edi, edi
- mov dword ptr [ebp-20h], 0
- mov dword ptr [ebp-1ch], 0
- mov [ebp-14h], ecx
- mov [ebp-24h], eax
- mov [ebp-34h], edx
- jnz short loc_804D2A0
- cmp esi, edx
- jbe loc_804D320
- div esi
- loc_804D260: ; CODE XREF: sub_804D220+11E.j
- mov ecx, [ebp-14h]
- test ecx, ecx
- mov [ebp-24h], edx
- jz short loc_804D285
- mov eax, [ebp-24h]
- mov [ebp-20h], eax
- mov dword ptr [ebp-1ch], 0
- loc_804D277: ; CODE XREF: sub_804D220+1D1.j
- mov eax, [ebp-14h]
- mov edx, [ebp-20h]
- mov ecx, [ebp-1ch]
- mov [eax], edx
- mov [eax+4], ecx
- loc_804D285: ; CODE XREF: sub_804D220+48.j
- ; sub_804D220+DA.j ...
- mov eax, [ebp-10h]
- mov edx, [ebp-0ch]
- add esp, 30h
- pop esi
- pop edi
- pop ebp
- retn
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D2A0: ; CODE XREF: sub_804D220+34.j
- cmp edi, [ebp-34h]
- jbe short loc_804D2D0
- mov edx, [ebp+8]
- mov ecx, [ebp-34h]
- mov [ebp-20h], edx
- mov [ebp-1ch], ecx
- mov eax, [ebp-20h]
- mov edx, [ebp-1ch]
- mov [ebp-10h], eax
- mov [ebp-0ch], edx
- add esp, 30h
- pop esi
- pop edi
- pop ebp
- retn
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D2D0: ; CODE XREF: sub_804D220+83.j
- bsr eax, edi
- xor eax, 1Fh
- mov [ebp-2ch], eax
- jnz short loc_804D350
- cmp [ebp-34h], edi
- ja short loc_804D2E5
- cmp [ebp-24h], esi
- jb short loc_804D2F5
- loc_804D2E5: ; CODE XREF: sub_804D220+BE.j
- mov edx, [ebp-34h]
- mov eax, [ebp-24h]
- sub eax, esi
- sbb edx, edi
- mov [ebp-24h], eax
- mov [ebp-34h], edx
- loc_804D2F5: ; CODE XREF: sub_804D220+C3.j
- mov edx, [ebp-14h]
- test edx, edx
- jz short loc_804D285
- mov eax, [ebp-24h]
- mov edx, [ebp-34h]
- mov [ebp-20h], eax
- mov [ebp-1ch], edx
- mov ecx, [ebp-14h]
- mov eax, [ebp-20h]
- mov edx, [ebp-1ch]
- mov [ecx], eax
- mov [ecx+4], edx
- jmp loc_804D285
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D320: ; CODE XREF: sub_804D220+38.j
- test esi, esi
- jnz short loc_804D32F
- mov eax, 1
- xor edx, edx
- div esi
- mov esi, eax
- loc_804D32F: ; CODE XREF: sub_804D220+102.j
- mov eax, [ebp-34h]
- mov edx, edi
- div esi
- mov eax, [ebp-24h]
- mov [ebp-34h], edx
- div esi
- jmp loc_804D260
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D350: ; CODE XREF: sub_804D220+B9.j
- mov eax, 20h
- sub eax, [ebp-2ch]
- mov [ebp-28h], eax
- mov edx, edi
- mov cl, byte ptr [ebp-2ch]
- shl edx, cl
- mov eax, esi
- mov cl, byte ptr [ebp-28h]
- shr eax, cl
- mov cl, byte ptr [ebp-2ch]
- shl esi, cl
- mov edi, edx
- mov cl, byte ptr [ebp-28h]
- mov edx, [ebp-34h]
- or edi, eax
- shr edx, cl
- mov eax, [ebp-34h]
- mov cl, byte ptr [ebp-2ch]
- shl eax, cl
- mov [ebp-34h], eax
- mov cl, byte ptr [ebp-28h]
- mov eax, [ebp-24h]
- shr eax, cl
- or eax, [ebp-34h]
- mov [ebp-34h], eax
- mov cl, byte ptr [ebp-2ch]
- div edi
- mov [ebp-34h], edx
- shl [ebp-24h], cl
- mul esi
- cmp edx, [ebp-34h]
- mov [ebp-38h], eax
- ja short loc_804D3B2
- jnz short loc_804D3BC
- mov eax, [ebp-24h]
- cmp [ebp-38h], eax
- jbe short loc_804D3BC
- loc_804D3B2: ; CODE XREF: sub_804D220+186.j
- mov ecx, [ebp-38h]
- sub ecx, esi
- sbb edx, edi
- mov [ebp-38h], ecx
- loc_804D3BC: ; CODE XREF: sub_804D220+188.j
- ; sub_804D220+190.j
- mov eax, [ebp-14h]
- test eax, eax
- jz loc_804D285
- mov ecx, [ebp-34h]
- mov eax, [ebp-24h]
- sub eax, [ebp-38h]
- sbb ecx, edx
- mov [ebp-34h], ecx
- mov edx, ecx
- mov cl, byte ptr [ebp-28h]
- shl edx, cl
- mov cl, byte ptr [ebp-2ch]
- mov [ebp-24h], eax
- shr eax, cl
- or edx, eax
- mov eax, [ebp-34h]
- shr eax, cl
- mov [ebp-20h], edx
- mov [ebp-1ch], eax
- jmp loc_804D277
- sub_804D0D0:
- push ebp
- mov ebp, esp
- push edi
- push esi
- sub esp, 14h
- mov edx, [ebp+14h]
- mov esi, [ebp+8]
- mov edi, [ebp+12]
- mov eax, [ebp+16]
- test edx, edx
- mov [ebp-10h], esi
- mov [ebp-1ch], eax
- mov [ebp-0ch], edx
- mov esi, edi
- jnz short loc_804D110
- cmp eax, edi
- jbe short loc_804D170
- mov edx, edi
- mov eax, [ebp-10h]
- div dword ptr [ebp-1ch]
- mov edi, eax
- jmp short loc_804D120
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D110: ; CODE XREF: sub_804D0D0+21.j
- cmp [ebp-0ch], edi
- jbe short loc_804D140
- xor edi, edi
- mov esi, esi
- lea edi, [edi+0]
- loc_804D120: ; CODE XREF: sub_804D0D0+31.j
- ; sub_804D0D0+88.j ...
- mov dword ptr [ebp-14h], 0
- mov edx, [ebp-14h]
- add esp, 14h
- pop esi
- mov eax, edi
- pop edi
- pop ebp
- retn
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D140: ; CODE XREF: sub_804D0D0+43.j
- bsr eax, [ebp-0ch]
- mov edi, eax
- xor edi, 1Fh
- jnz short loc_804D1B0
- cmp esi, [ebp-0ch]
- ja short loc_804D15A
- mov edx, [ebp-1ch]
- xor edi, edi
- cmp [ebp-10h], edx
- jb short loc_804D120
- loc_804D15A: ; CODE XREF: sub_804D0D0+7E.j
- mov edi, 1
- jmp short loc_804D120
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- jmp short loc_804D170
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D170: ; CODE XREF: sub_804D0D0+25.j
- ; sub_804D0D0+91.j
- mov eax, [ebp-1ch]
- test eax, eax
- jnz short loc_804D185
- mov eax, 1
- xor ecx, ecx
- xor edx, edx
- div ecx
- mov [ebp-1ch], eax
- loc_804D185: ; CODE XREF: sub_804D0D0+A5.j
- mov eax, esi
- xor edx, edx
- div dword ptr [ebp-1ch]
- mov [ebp-14h], eax
- mov eax, [ebp-10h]
- div dword ptr [ebp-1ch]
- mov edx, [ebp-14h]
- add esp, 14h
- mov edi, eax
- pop esi
- mov eax, edi
- pop edi
- pop ebp
- retn
- ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
- align 10h
- loc_804D1B0: ; CODE XREF: sub_804D0D0+79.j
- mov eax, 20h
- sub eax, edi
- mov [ebp-18h], eax
- mov ecx, edi
- mov edx, [ebp-0ch]
- shl edx, cl
- mov eax, [ebp-1ch]
- mov cl, byte ptr [ebp-18h]
- shr eax, cl
- or edx, eax
- mov ecx, edi
- shl dword ptr [ebp-1ch], cl
- mov [ebp-0ch], edx
- mov cl, byte ptr [ebp-18h]
- mov edx, esi
- shr edx, cl
- mov ecx, edi
- shl esi, cl
- mov eax, [ebp-10h]
- mov cl, byte ptr [ebp-18h]
- shr eax, cl
- or esi, eax
- mov ecx, edi
- mov eax, esi
- div dword ptr [ebp-0ch]
- mov esi, edx
- mov edi, eax
- shl dword ptr [ebp-10h], cl
- mov eax, [ebp-1ch]
- mul edi
- cmp edx, esi
- ja short loc_804D20E
- jnz loc_804D120
- cmp eax, [ebp-10h]
- jbe loc_804D120
- loc_804D20E: ; CODE XREF: sub_804D0D0+12D.j
- dec edi
- jmp loc_804D120
- }
- }
- __declspec(naked) int check(unsigned char * zz ){
- __asm
- {
- push ebp
- mov ebp, esp
- push ebx
- sub esp, 10h
- mov eax, [ebp+8]
- movzx ebx, word ptr [eax+0Ah]
- push eax
- call sub_80482E8
- add esp, 10h
- cmp ebx, eax
- setz al
- movzx eax, al
- mov ebx, [ebp-4]
- leave
- retn
- sub_80482E8:
- push ebp
- mov ebp, esp
- push esi
- push ebx
- xor ecx, ecx
- mov ebx, [ebp+8]
- xor esi, esi
- xor edx, edx
- loc_80482F6:
- mov ax, [ebx+edx*2]
- test ax, ax
- jz short loc_8048304
- mov esi, 1
- loc_8048304:
- movzx eax, ax
- inc edx
- add ecx, eax
- cmp edx, 4
- jbe short loc_80482F6
- mov eax, esi
- test al, al
- jz short loc_804831E
- not ecx
- movzx eax, cx
- loc_804831A:
- pop ebx
- pop esi
- leave
- retn
- loc_804831E:
- mov eax, 0FFFFh
- jmp short loc_804831A
- }
- }
- int main(int argc, char* argv[])
- {
- register int i,j,k,l,m,n,o,p,q,r,s,t,u,v,zz=0;
- unsigned char *mf;
- unsigned char z;
- FILE *fp;
- if (argc < 2){
- printf ("输入参数: 原文件名 硬盘ID文件\n");
- printf ("\n");
- printf ("本工具的作用是做Mikrotik RouterOS 的序列号计算\n");
- printf ("\n");
- printf ("想得太美 编写于 2007.5.5 17:33\n");
- return 1;}
- if (( fp = fopen(argv[1],"r")) == NULL)
- {
- fprintf(stderr,"ID文件打开错误!");
- _exit (1);
- }
-
- if (fread (hdinfo,1,512,fp) < 512)
- {
- fprintf(stderr,"ID文件长度不正确!");
- _exit (1);
- }
-
- mf=mbrinfo+0x100;
- #pragma omp parallel for firstprivate(i,j,l,m,n,o,p,q,r,s,t,u,v,sn,mbrinfo)
- for (k=97;k<99;k++){
- mbrinfo[0x109]=k;
- for (l=53;l<99;l++){
- mbrinfo[0x108]=l;
- for (m=20;m<99;m++){
- mbrinfo[0x107]=m;
- for (n=34;n<99;n++){
- mbrinfo[0x106]=n;
- for (o=14;o<99;o++){
- mbrinfo[0x105]=o;
- for (p=57;p<99;p++){
- mbrinfo[0x104]=p;
- for (q=31;q<56;q++){
- mbrinfo[0x103]=q;
- for (r=48;r<86;r++){
- mbrinfo[0x102]=r;
- for (s=63;s>0;s--){
- mbrinfo[0x101]=s;
- for (t=1;t<99;t++){
- mbrinfo[0x100]=t;
- test(dev,mbrinfo,sn);
- if ( (strncmp(sn,"ILTS-NX0",4) == 0) || (strncmp(sn,"VY3P-XNN",8) == 8) || (strncmp(sn,"LF15-2JT",8) == 0) || (strncmp(sn,"8T9V-HKT",8) == 0) || (strncmp(sn,"798Y-K0N",8) == 0) || (strncmp(sn,"Q8C4-1AN",8) == 0) || (strncmp(sn,"FAVD-NFT",8) == 0) || (strncmp(sn,"VNDH-NLN",8) == 0)\
- || (strncmp(sn,"AK73-PET",8) == 0)|| (strncmp(sn,"3N5N-F4N",8) == 0)|| (strncmp(sn,"PPT4-3EN",8) == 0)|| (strncmp(sn,"2EM4-MBT",8) == 0)|| (strncmp(sn,"UPBY-JIN",8) == 0)|| (strncmp(sn,"C1HM-PRT",8) == 0)|| (strncmp(sn,"M83D-ICN",8) == 0)|| (strncmp(sn,"NNFT-86N",8) == 0))
- {
- for (i=0;i<256;i++) {
- mbrinfo[0x10a]=i;
- for (j=0;j<256;j++) {
- mbrinfo[256+11]=j;
- if (check(mbrinfo+256)){
- printf("编号:%d, 序列号是: %s, 关键特征码是: ",zz++,sn);
- for (u=0x100;u<0x10c;u++) printf("%02x",mbrinfo[u]);
- printf("\n");
- }}}}}}}}}}}}}}
- return 0;
- }
|
|
|Archiver|手机版|小黑屋|软路由
( 渝ICP备15001194号-1|
渝公网安备 50011602500124号 )
IP卡
狗仔卡
发表于 2019-4-20 22:22:27
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2019-4-21 07:28:53
